aws-sdk-cognitoidentityprovider 1.65.0 → 1.68.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -52,7 +52,7 @@ module Aws::CognitoIdentityProvider
52
52
  #
53
53
  # @!attribute [rw] event_action
54
54
  # The action to take in response to the account takeover action. Valid
55
- # values are:
55
+ # values are as follows:
56
56
  #
57
57
  # * `BLOCK` Choosing this action will block the request.
58
58
  #
@@ -354,11 +354,11 @@ module Aws::CognitoIdentityProvider
354
354
  # @return [Boolean]
355
355
  #
356
356
  # @!attribute [rw] unused_account_validity_days
357
- # The user account expiration limit, in days, after which the account
358
- # is no longer usable. To reset the account after that time limit, you
359
- # must call `AdminCreateUser` again, specifying `"RESEND"` for the
360
- # `MessageAction` parameter. The default value for this parameter is
361
- # 7.
357
+ # The user account expiration limit, in days, after which a new
358
+ # account that hasn't signed in is no longer usable. To reset the
359
+ # account after that time limit, you must call `AdminCreateUser`
360
+ # again, specifying `"RESEND"` for the `MessageAction` parameter. The
361
+ # default value for this parameter is 7.
362
362
  #
363
363
  # <note markdown="1"> If you set a value for `TemporaryPasswordValidityDays` in
364
364
  # `PasswordPolicy`, that value will be used, and
@@ -1127,9 +1127,11 @@ module Aws::CognitoIdentityProvider
1127
1127
  # @return [Types::AnalyticsMetadataType]
1128
1128
  #
1129
1129
  # @!attribute [rw] context_data
1130
- # Contextual data such as the user's device fingerprint, IP address,
1131
- # or location used for evaluating the risk of an unexpected event by
1132
- # Amazon Cognito advanced security.
1130
+ # Contextual data about your user session, such as the device
1131
+ # fingerprint, IP address, or location. Amazon Cognito advanced
1132
+ # security evaluates the risk of an authentication event based on the
1133
+ # context that your app generates and passes to Amazon Cognito when it
1134
+ # makes API requests.
1133
1135
  # @return [Types::ContextDataType]
1134
1136
  #
1135
1137
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AdminInitiateAuthRequest AWS API Documentation
@@ -1185,9 +1187,21 @@ module Aws::CognitoIdentityProvider
1185
1187
  # enabled to use this flow.
1186
1188
  #
1187
1189
  # * `NEW_PASSWORD_REQUIRED`\: For users who are required to change
1188
- # their passwords after successful first login. This challenge
1189
- # should be passed with `NEW_PASSWORD` and any other required
1190
- # attributes.
1190
+ # their passwords after successful first login. Respond to this
1191
+ # challenge with `NEW_PASSWORD` and any required attributes that
1192
+ # Amazon Cognito returned in the `requiredAttributes` parameter. You
1193
+ # can also set values for attributes that aren't required by your
1194
+ # user pool and that your app client can write. For more
1195
+ # information, see [AdminRespondToAuthChallenge][1].
1196
+ #
1197
+ # <note markdown="1"> In a `NEW_PASSWORD_REQUIRED` challenge response, you can't modify
1198
+ # a required attribute that already has a value. In
1199
+ # `AdminRespondToAuthChallenge`, set a value for any keys that
1200
+ # Amazon Cognito returned in the `requiredAttributes` parameter,
1201
+ # then use the `AdminUpdateUserAttributes` API operation to modify
1202
+ # the value of any additional attributes.
1203
+ #
1204
+ # </note>
1191
1205
  #
1192
1206
  # * `MFA_SETUP`\: For users who are required to set up an MFA factor
1193
1207
  # before they can sign in. The MFA types activated for the user pool
@@ -1200,6 +1214,10 @@ module Aws::CognitoIdentityProvider
1200
1214
  # complete sign-in. To set up SMS MFA, users will need help from an
1201
1215
  # administrator to add a phone number to their account and then call
1202
1216
  # `InitiateAuth` again to restart sign-in.
1217
+ #
1218
+ #
1219
+ #
1220
+ # [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminRespondToAuthChallenge.html
1203
1221
  # @return [String]
1204
1222
  #
1205
1223
  # @!attribute [rw] session
@@ -1267,12 +1285,11 @@ module Aws::CognitoIdentityProvider
1267
1285
  #
1268
1286
  # @!attribute [rw] destination_user
1269
1287
  # The existing user in the user pool that you want to assign to the
1270
- # external identity provider user account. This user can be a native
1271
- # (Username + Password) Amazon Cognito user pools user or a federated
1272
- # user (for example, a SAML or Facebook user). If the user doesn't
1273
- # exist, Amazon Cognito generates an exception. Amazon Cognito returns
1274
- # this user when the new user (with the linked identity provider
1275
- # attribute) signs in.
1288
+ # external IdP user account. This user can be a native (Username +
1289
+ # Password) Amazon Cognito user pools user or a federated user (for
1290
+ # example, a SAML or Facebook user). If the user doesn't exist,
1291
+ # Amazon Cognito generates an exception. Amazon Cognito returns this
1292
+ # user when the new user (with the linked IdP attribute) signs in.
1276
1293
  #
1277
1294
  # For a native username + password user, the `ProviderAttributeValue`
1278
1295
  # for the `DestinationUser` should be the username in the user pool.
@@ -1289,30 +1306,29 @@ module Aws::CognitoIdentityProvider
1289
1306
  # @return [Types::ProviderUserIdentifierType]
1290
1307
  #
1291
1308
  # @!attribute [rw] source_user
1292
- # An external identity provider account for a user who doesn't exist
1293
- # yet in the user pool. This user must be a federated user (for
1294
- # example, a SAML or Facebook user), not another native user.
1309
+ # An external IdP account for a user who doesn't exist yet in the
1310
+ # user pool. This user must be a federated user (for example, a SAML
1311
+ # or Facebook user), not another native user.
1295
1312
  #
1296
- # If the `SourceUser` is using a federated social identity provider,
1297
- # such as Facebook, Google, or Login with Amazon, you must set the
1298
- # `ProviderAttributeName` to `Cognito_Subject`. For social identity
1299
- # providers, the `ProviderName` will be `Facebook`, `Google`, or
1300
- # `LoginWithAmazon`, and Amazon Cognito will automatically parse the
1301
- # Facebook, Google, and Login with Amazon tokens for `id`, `sub`, and
1302
- # `user_id`, respectively. The `ProviderAttributeValue` for the user
1303
- # must be the same value as the `id`, `sub`, or `user_id` value found
1304
- # in the social identity provider token.
1313
+ # If the `SourceUser` is using a federated social IdP, such as
1314
+ # Facebook, Google, or Login with Amazon, you must set the
1315
+ # `ProviderAttributeName` to `Cognito_Subject`. For social IdPs, the
1316
+ # `ProviderName` will be `Facebook`, `Google`, or `LoginWithAmazon`,
1317
+ # and Amazon Cognito will automatically parse the Facebook, Google,
1318
+ # and Login with Amazon tokens for `id`, `sub`, and `user_id`,
1319
+ # respectively. The `ProviderAttributeValue` for the user must be the
1320
+ # same value as the `id`, `sub`, or `user_id` value found in the
1321
+ # social IdP token.
1305
1322
  #
1306
1323
  #
1307
1324
  #
1308
1325
  # For SAML, the `ProviderAttributeName` can be any value that matches
1309
1326
  # a claim in the SAML assertion. If you want to link SAML users based
1310
1327
  # on the subject of the SAML assertion, you should map the subject to
1311
- # a claim through the SAML identity provider and submit that claim
1312
- # name as the `ProviderAttributeName`. If you set
1313
- # `ProviderAttributeName` to `Cognito_Subject`, Amazon Cognito will
1314
- # automatically parse the default unique identifier found in the
1315
- # subject from the SAML token.
1328
+ # a claim through the SAML IdP and submit that claim name as the
1329
+ # `ProviderAttributeName`. If you set `ProviderAttributeName` to
1330
+ # `Cognito_Subject`, Amazon Cognito will automatically parse the
1331
+ # default unique identifier found in the subject from the SAML token.
1316
1332
  # @return [Types::ProviderUserIdentifierType]
1317
1333
  #
1318
1334
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AdminLinkProviderForUserRequest AWS API Documentation
@@ -1679,9 +1695,22 @@ module Aws::CognitoIdentityProvider
1679
1695
  # * `ADMIN_NO_SRP_AUTH`\: `PASSWORD`, `USERNAME`, `SECRET_HASH` (if
1680
1696
  # app client is configured with client secret).
1681
1697
  #
1682
- # * `NEW_PASSWORD_REQUIRED`\: `NEW_PASSWORD`, any other required
1683
- # attributes, `USERNAME`, `SECRET_HASH` (if app client is configured
1684
- # with client secret).
1698
+ # * `NEW_PASSWORD_REQUIRED`\: `NEW_PASSWORD`, `USERNAME`,
1699
+ # `SECRET_HASH` (if app client is configured with client secret). To
1700
+ # set any required attributes that Amazon Cognito returned as
1701
+ # `requiredAttributes` in the `AdminInitiateAuth` response, add a
1702
+ # `userAttributes.attributename ` parameter. This parameter can also
1703
+ # set values for writable attributes that aren't required by your
1704
+ # user pool.
1705
+ #
1706
+ # <note markdown="1"> In a `NEW_PASSWORD_REQUIRED` challenge response, you can't modify
1707
+ # a required attribute that already has a value. In
1708
+ # `AdminRespondToAuthChallenge`, set a value for any keys that
1709
+ # Amazon Cognito returned in the `requiredAttributes` parameter,
1710
+ # then use the `AdminUpdateUserAttributes` API operation to modify
1711
+ # the value of any additional attributes.
1712
+ #
1713
+ # </note>
1685
1714
  #
1686
1715
  # * `MFA_SETUP` requires `USERNAME`, plus you must use the session
1687
1716
  # value returned by `VerifySoftwareToken` in the `Session`
@@ -1710,9 +1739,11 @@ module Aws::CognitoIdentityProvider
1710
1739
  # @return [Types::AnalyticsMetadataType]
1711
1740
  #
1712
1741
  # @!attribute [rw] context_data
1713
- # Contextual data such as the user's device fingerprint, IP address,
1714
- # or location used for evaluating the risk of an unexpected event by
1715
- # Amazon Cognito advanced security.
1742
+ # Contextual data about your user session, such as the device
1743
+ # fingerprint, IP address, or location. Amazon Cognito advanced
1744
+ # security evaluates the risk of an authentication event based on the
1745
+ # context that your app generates and passes to Amazon Cognito when it
1746
+ # makes API requests.
1716
1747
  # @return [Types::ContextDataType]
1717
1748
  #
1718
1749
  # @!attribute [rw] client_metadata
@@ -2089,6 +2120,22 @@ module Aws::CognitoIdentityProvider
2089
2120
  #
2090
2121
  # For custom attributes, you must prepend the `custom:` prefix to the
2091
2122
  # attribute name.
2123
+ #
2124
+ # If your user pool requires verification before Amazon Cognito
2125
+ # updates an attribute value that you specify in this request, Amazon
2126
+ # Cognito doesn’t immediately update the value of that attribute.
2127
+ # After your user receives and responds to a verification message to
2128
+ # verify the new value, Amazon Cognito updates the attribute value.
2129
+ # Your user can sign in and receive messages with the original
2130
+ # attribute value until they verify the new value.
2131
+ #
2132
+ # To update the value of an attribute that requires verification in
2133
+ # the same API request, include the `email_verified` or
2134
+ # `phone_number_verified` attribute, with a value of `true`. If you
2135
+ # set the `email_verified` or `phone_number_verified` value for an
2136
+ # `email` or `phone_number` attribute that requires verification to
2137
+ # `true`, Amazon Cognito doesn’t send a verification message to your
2138
+ # user.
2092
2139
  # @return [Array<Types::AttributeType>]
2093
2140
  #
2094
2141
  # @!attribute [rw] client_metadata
@@ -2181,12 +2228,15 @@ module Aws::CognitoIdentityProvider
2181
2228
  class AdminUserGlobalSignOutResponse < Aws::EmptyStructure; end
2182
2229
 
2183
2230
  # This exception is thrown when a user tries to confirm the account with
2184
- # an email or phone number that has already been supplied as an alias
2185
- # from a different account. This exception tells user that an account
2186
- # with this email or phone already exists.
2231
+ # an email address or phone number that has already been supplied as an
2232
+ # alias for a different user profile. This exception indicates that an
2233
+ # account with this email address or phone already exists in a user pool
2234
+ # that you've configured to use email address or phone number as a
2235
+ # sign-in alias.
2187
2236
  #
2188
2237
  # @!attribute [rw] message
2189
- # The message sent to the user when an alias exists.
2238
+ # The message that Amazon Cognito sends to the user when the value of
2239
+ # an alias attribute is already linked to another user profile.
2190
2240
  # @return [String]
2191
2241
  #
2192
2242
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AliasExistsException AWS API Documentation
@@ -2197,8 +2247,8 @@ module Aws::CognitoIdentityProvider
2197
2247
  include Aws::Structure
2198
2248
  end
2199
2249
 
2200
- # The Amazon Pinpoint analytics configuration for collecting metrics for
2201
- # a user pool.
2250
+ # The Amazon Pinpoint analytics configuration necessary to collect
2251
+ # metrics for a user pool.
2202
2252
  #
2203
2253
  # <note markdown="1"> In Regions where Amazon Pinpointisn't available, user pools only
2204
2254
  # support sending events to Amazon Pinpoint projects in us-east-1. In
@@ -2226,7 +2276,7 @@ module Aws::CognitoIdentityProvider
2226
2276
  # The Amazon Resource Name (ARN) of an Amazon Pinpoint project. You
2227
2277
  # can use the Amazon Pinpoint project to integrate with the chosen
2228
2278
  # user pool Client. Amazon Cognito publishes events to the Amazon
2229
- # Pinpointproject declared by the app ARN.
2279
+ # Pinpoint project that the app ARN declares.
2230
2280
  # @return [String]
2231
2281
  #
2232
2282
  # @!attribute [rw] role_arn
@@ -2239,8 +2289,8 @@ module Aws::CognitoIdentityProvider
2239
2289
  # @return [String]
2240
2290
  #
2241
2291
  # @!attribute [rw] user_data_shared
2242
- # If `UserDataShared` is `true`, Amazon Cognito will include user data
2243
- # in the events it publishes to Amazon Pinpoint analytics.
2292
+ # If `UserDataShared` is `true`, Amazon Cognito includes user data in
2293
+ # the events that it publishes to Amazon Pinpoint analytics.
2244
2294
  # @return [Boolean]
2245
2295
  #
2246
2296
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AnalyticsConfigurationType AWS API Documentation
@@ -2259,12 +2309,14 @@ module Aws::CognitoIdentityProvider
2259
2309
  #
2260
2310
  # An endpoint uniquely identifies a mobile device, email address, or
2261
2311
  # phone number that can receive messages from Amazon Pinpoint analytics.
2312
+ # For more information about Amazon Web Services Regions that can
2313
+ # contain Amazon Pinpoint resources for use with Amazon Cognito user
2314
+ # pools, see [Using Amazon Pinpoint analytics with Amazon Cognito user
2315
+ # pools][1].
2262
2316
  #
2263
- # <note markdown="1"> Amazon Cognito user pools only support sending events to Amazon
2264
- # Pinpoint projects in the US East (N. Virginia) us-east-1 Region,
2265
- # regardless of the Region where the user pool resides.
2266
2317
  #
2267
- # </note>
2318
+ #
2319
+ # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-pinpoint-integration.html
2268
2320
  #
2269
2321
  # @note When making an API call, you may pass AnalyticsMetadataType
2270
2322
  # data as a hash:
@@ -2294,7 +2346,8 @@ module Aws::CognitoIdentityProvider
2294
2346
  # }
2295
2347
  #
2296
2348
  # @!attribute [rw] access_token
2297
- # The access token.
2349
+ # A valid access token that Amazon Cognito issued to the user whose
2350
+ # software token you want to generate.
2298
2351
  # @return [String]
2299
2352
  #
2300
2353
  # @!attribute [rw] session
@@ -2313,8 +2366,8 @@ module Aws::CognitoIdentityProvider
2313
2366
  end
2314
2367
 
2315
2368
  # @!attribute [rw] secret_code
2316
- # A unique generated shared secret code that is used in the time-based
2317
- # one-time password (TOTP) algorithm to generate a one-time code.
2369
+ # A unique generated shared secret code that is used in the TOTP
2370
+ # algorithm to generate a one-time code.
2318
2371
  # @return [String]
2319
2372
  #
2320
2373
  # @!attribute [rw] session
@@ -2414,7 +2467,8 @@ module Aws::CognitoIdentityProvider
2414
2467
  # The authentication result.
2415
2468
  #
2416
2469
  # @!attribute [rw] access_token
2417
- # The access token.
2470
+ # A valid access token that Amazon Cognito issued to the user who you
2471
+ # want to authenticate.
2418
2472
  # @return [String]
2419
2473
  #
2420
2474
  # @!attribute [rw] expires_in
@@ -2489,7 +2543,8 @@ module Aws::CognitoIdentityProvider
2489
2543
  # @return [String]
2490
2544
  #
2491
2545
  # @!attribute [rw] access_token
2492
- # The access token.
2546
+ # A valid access token that Amazon Cognito issued to the user whose
2547
+ # password you want to change.
2493
2548
  # @return [String]
2494
2549
  #
2495
2550
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/ChangePasswordRequest AWS API Documentation
@@ -2508,18 +2563,21 @@ module Aws::CognitoIdentityProvider
2508
2563
  #
2509
2564
  class ChangePasswordResponse < Aws::EmptyStructure; end
2510
2565
 
2511
- # The code delivery details being returned from the server.
2566
+ # The delivery details for an email or SMS message that Amazon Cognito
2567
+ # sent for authentication or verification.
2512
2568
  #
2513
2569
  # @!attribute [rw] destination
2514
- # The destination for the code delivery details.
2570
+ # The email address or phone number destination where Amazon Cognito
2571
+ # sent the code.
2515
2572
  # @return [String]
2516
2573
  #
2517
2574
  # @!attribute [rw] delivery_medium
2518
- # The delivery medium (email message or phone number).
2575
+ # The method that Amazon Cognito used to send the code.
2519
2576
  # @return [String]
2520
2577
  #
2521
2578
  # @!attribute [rw] attribute_name
2522
- # The attribute name.
2579
+ # The name of the attribute that Amazon Cognito verifies with the
2580
+ # code.
2523
2581
  # @return [String]
2524
2582
  #
2525
2583
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/CodeDeliveryDetailsType AWS API Documentation
@@ -2645,7 +2703,8 @@ module Aws::CognitoIdentityProvider
2645
2703
  # }
2646
2704
  #
2647
2705
  # @!attribute [rw] access_token
2648
- # The access token.
2706
+ # A valid access token that Amazon Cognito issued to the user whose
2707
+ # device you want to confirm.
2649
2708
  # @return [String]
2650
2709
  #
2651
2710
  # @!attribute [rw] device_key
@@ -2701,6 +2760,7 @@ module Aws::CognitoIdentityProvider
2701
2760
  # analytics_endpoint_id: "StringType",
2702
2761
  # },
2703
2762
  # user_context_data: {
2763
+ # ip_address: "StringType",
2704
2764
  # encoded_data: "StringType",
2705
2765
  # },
2706
2766
  # client_metadata: {
@@ -2724,8 +2784,8 @@ module Aws::CognitoIdentityProvider
2724
2784
  # @return [String]
2725
2785
  #
2726
2786
  # @!attribute [rw] confirmation_code
2727
- # The confirmation code sent by a user's request to retrieve a
2728
- # forgotten password. For more information, see [ForgotPassword][1].
2787
+ # The confirmation code from your user's request to reset their
2788
+ # password. For more information, see [ForgotPassword][1].
2729
2789
  #
2730
2790
  #
2731
2791
  #
@@ -2733,8 +2793,7 @@ module Aws::CognitoIdentityProvider
2733
2793
  # @return [String]
2734
2794
  #
2735
2795
  # @!attribute [rw] password
2736
- # The password sent by a user's request to retrieve a forgotten
2737
- # password.
2796
+ # The new password that your user wants to set.
2738
2797
  # @return [String]
2739
2798
  #
2740
2799
  # @!attribute [rw] analytics_metadata
@@ -2743,9 +2802,11 @@ module Aws::CognitoIdentityProvider
2743
2802
  # @return [Types::AnalyticsMetadataType]
2744
2803
  #
2745
2804
  # @!attribute [rw] user_context_data
2746
- # Contextual data such as the user's device fingerprint, IP address,
2747
- # or location used for evaluating the risk of an unexpected event by
2748
- # Amazon Cognito advanced security.
2805
+ # Contextual data about your user session, such as the device
2806
+ # fingerprint, IP address, or location. Amazon Cognito advanced
2807
+ # security evaluates the risk of an authentication event based on the
2808
+ # context that your app generates and passes to Amazon Cognito when it
2809
+ # makes API requests.
2749
2810
  # @return [Types::UserContextDataType]
2750
2811
  #
2751
2812
  # @!attribute [rw] client_metadata
@@ -2823,6 +2884,7 @@ module Aws::CognitoIdentityProvider
2823
2884
  # analytics_endpoint_id: "StringType",
2824
2885
  # },
2825
2886
  # user_context_data: {
2887
+ # ip_address: "StringType",
2826
2888
  # encoded_data: "StringType",
2827
2889
  # },
2828
2890
  # client_metadata: {
@@ -2865,9 +2927,11 @@ module Aws::CognitoIdentityProvider
2865
2927
  # @return [Types::AnalyticsMetadataType]
2866
2928
  #
2867
2929
  # @!attribute [rw] user_context_data
2868
- # Contextual data such as the user's device fingerprint, IP address,
2869
- # or location used for evaluating the risk of an unexpected event by
2870
- # Amazon Cognito advanced security.
2930
+ # Contextual data about your user session, such as the device
2931
+ # fingerprint, IP address, or location. Amazon Cognito advanced
2932
+ # security evaluates the risk of an authentication event based on the
2933
+ # context that your app generates and passes to Amazon Cognito when it
2934
+ # makes API requests.
2871
2935
  # @return [Types::UserContextDataType]
2872
2936
  #
2873
2937
  # @!attribute [rw] client_metadata
@@ -2950,7 +3014,7 @@ module Aws::CognitoIdentityProvider
2950
3014
  # }
2951
3015
  #
2952
3016
  # @!attribute [rw] ip_address
2953
- # Source IP address of your user.
3017
+ # The source IP address of your user's device.
2954
3018
  # @return [String]
2955
3019
  #
2956
3020
  # @!attribute [rw] server_name
@@ -2966,8 +3030,14 @@ module Aws::CognitoIdentityProvider
2966
3030
  # @return [Array<Types::HttpHeader>]
2967
3031
  #
2968
3032
  # @!attribute [rw] encoded_data
2969
- # Encoded data containing device fingerprinting details collected
2970
- # using the Amazon Cognito context data collection library.
3033
+ # Encoded device-fingerprint details that your app collected with the
3034
+ # Amazon Cognito context data collection library. For more
3035
+ # information, see [Adding user device and session data to API
3036
+ # requests][1].
3037
+ #
3038
+ #
3039
+ #
3040
+ # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html#user-pool-settings-adaptive-authentication-device-fingerprint
2971
3041
  # @return [String]
2972
3042
  #
2973
3043
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/ContextDataType AWS API Documentation
@@ -3013,7 +3083,7 @@ module Aws::CognitoIdentityProvider
3013
3083
  # A non-negative integer value that specifies the precedence of this
3014
3084
  # group relative to the other groups that a user can belong to in the
3015
3085
  # user pool. Zero is the highest precedence value. Groups with lower
3016
- # `Precedence` values take precedence over groups with higher ornull
3086
+ # `Precedence` values take precedence over groups with higher or null
3017
3087
  # `Precedence` values. If a user belongs to two or more groups, it is
3018
3088
  # the group with the lowest precedence value whose role ARN is given
3019
3089
  # in the user's tokens for the `cognito:roles` and
@@ -3026,7 +3096,8 @@ module Aws::CognitoIdentityProvider
3026
3096
  # group. If the two groups have different role ARNs, the
3027
3097
  # `cognito:preferred_role` claim isn't set in users' tokens.
3028
3098
  #
3029
- # The default `Precedence` value is null.
3099
+ # The default `Precedence` value is null. The maximum `Precedence`
3100
+ # value is `2^31-1`.
3030
3101
  # @return [Integer]
3031
3102
  #
3032
3103
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/CreateGroupRequest AWS API Documentation
@@ -3074,16 +3145,16 @@ module Aws::CognitoIdentityProvider
3074
3145
  # @return [String]
3075
3146
  #
3076
3147
  # @!attribute [rw] provider_name
3077
- # The identity provider name.
3148
+ # The IdP name.
3078
3149
  # @return [String]
3079
3150
  #
3080
3151
  # @!attribute [rw] provider_type
3081
- # The identity provider type.
3152
+ # The IdP type.
3082
3153
  # @return [String]
3083
3154
  #
3084
3155
  # @!attribute [rw] provider_details
3085
- # The identity provider details. The following list describes the
3086
- # provider detail keys for each identity provider type.
3156
+ # The IdP details. The following list describes the provider detail
3157
+ # keys for each IdP type.
3087
3158
  #
3088
3159
  # * For Google and Login with Amazon:
3089
3160
  #
@@ -3127,35 +3198,38 @@ module Aws::CognitoIdentityProvider
3127
3198
  #
3128
3199
  # * authorize\_scopes
3129
3200
  #
3130
- # * authorize\_url *if not available from discovery URL specified by
3131
- # oidc\_issuer key*
3201
+ # * The following keys are only present if Amazon Cognito didn't
3202
+ # discover them at the `oidc_issuer` URL.
3203
+ #
3204
+ # * authorize\_url
3205
+ #
3206
+ # * token\_url
3132
3207
  #
3133
- # * token\_url *if not available from discovery URL specified by
3134
- # oidc\_issuer key*
3208
+ # * attributes\_url
3135
3209
  #
3136
- # * attributes\_url *if not available from discovery URL specified
3137
- # by oidc\_issuer key*
3210
+ # * jwks\_uri
3138
3211
  #
3139
- # * jwks\_uri *if not available from discovery URL specified by
3140
- # oidc\_issuer key*
3212
+ # * Amazon Cognito sets the value of the following keys
3213
+ # automatically. They are read-only.
3141
3214
  #
3142
- # * attributes\_url\_add\_attributes *a read-only property that is
3143
- # set automatically*
3215
+ # * attributes\_url\_add\_attributes
3216
+ #
3217
+ # ^
3144
3218
  #
3145
3219
  # * For SAML providers:
3146
3220
  #
3147
- # * MetadataFile OR MetadataURL
3221
+ # * MetadataFile or MetadataURL
3148
3222
  #
3149
- # * IDPSignout (optional)
3223
+ # * IDPSignout *optional*
3150
3224
  # @return [Hash<String,String>]
3151
3225
  #
3152
3226
  # @!attribute [rw] attribute_mapping
3153
- # A mapping of identity provider attributes to standard and custom
3154
- # user pool attributes.
3227
+ # A mapping of IdP attributes to standard and custom user pool
3228
+ # attributes.
3155
3229
  # @return [Hash<String,String>]
3156
3230
  #
3157
3231
  # @!attribute [rw] idp_identifiers
3158
- # A list of identity provider identifiers.
3232
+ # A list of IdP identifiers.
3159
3233
  # @return [Array<String>]
3160
3234
  #
3161
3235
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/CreateIdentityProviderRequest AWS API Documentation
@@ -3172,7 +3246,7 @@ module Aws::CognitoIdentityProvider
3172
3246
  end
3173
3247
 
3174
3248
  # @!attribute [rw] identity_provider
3175
- # The newly created identity provider object.
3249
+ # The newly created IdP object.
3176
3250
  # @return [Types::IdentityProviderType]
3177
3251
  #
3178
3252
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/CreateIdentityProviderResponse AWS API Documentation
@@ -3326,6 +3400,7 @@ module Aws::CognitoIdentityProvider
3326
3400
  # },
3327
3401
  # prevent_user_existence_errors: "LEGACY", # accepts LEGACY, ENABLED
3328
3402
  # enable_token_revocation: false,
3403
+ # enable_propagate_additional_user_context_data: false,
3329
3404
  # }
3330
3405
  #
3331
3406
  # @!attribute [rw] user_pool_id
@@ -3343,26 +3418,53 @@ module Aws::CognitoIdentityProvider
3343
3418
  # @return [Boolean]
3344
3419
  #
3345
3420
  # @!attribute [rw] refresh_token_validity
3346
- # The time limit, in days, after which the refresh token is no longer
3347
- # valid and can't be used.
3421
+ # The refresh token time limit. After this limit expires, your user
3422
+ # can't use their refresh token. To specify the time unit for
3423
+ # `RefreshTokenValidity` as `seconds`, `minutes`, `hours`, or `days`,
3424
+ # set a `TokenValidityUnits` value in your API request.
3425
+ #
3426
+ # For example, when you set `RefreshTokenValidity` as `10` and
3427
+ # `TokenValidityUnits` as `days`, your user can refresh their session
3428
+ # and retrieve new access and ID tokens for 10 days.
3429
+ #
3430
+ # The default time unit for `RefreshTokenValidity` in an API request
3431
+ # is days. You can't set `RefreshTokenValidity` to 0. If you do,
3432
+ # Amazon Cognito overrides the value with the default value of 30
3433
+ # days. *Valid range* is displayed below in seconds.
3348
3434
  # @return [Integer]
3349
3435
  #
3350
3436
  # @!attribute [rw] access_token_validity
3351
- # The time limit, between 5 minutes and 1 day, after which the access
3352
- # token is no longer valid and can't be used. If you supply a
3353
- # TokenValidityUnits value, you will override the default time unit.
3437
+ # The access token time limit. After this limit expires, your user
3438
+ # can't use their access token. To specify the time unit for
3439
+ # `AccessTokenValidity` as `seconds`, `minutes`, `hours`, or `days`,
3440
+ # set a `TokenValidityUnits` value in your API request.
3441
+ #
3442
+ # For example, when you set `AccessTokenValidity` to `10` and
3443
+ # `TokenValidityUnits` to `hours`, your user can authorize access with
3444
+ # their access token for 10 hours.
3445
+ #
3446
+ # The default time unit for `AccessTokenValidity` in an API request is
3447
+ # hours. *Valid range* is displayed below in seconds.
3354
3448
  # @return [Integer]
3355
3449
  #
3356
3450
  # @!attribute [rw] id_token_validity
3357
- # The time limit, between 5 minutes and 1 day, after which the access
3358
- # token is no longer valid and can't be used. If you supply a
3359
- # TokenValidityUnits value, you will override the default time unit.
3451
+ # The ID token time limit. After this limit expires, your user can't
3452
+ # use their ID token. To specify the time unit for `IdTokenValidity`
3453
+ # as `seconds`, `minutes`, `hours`, or `days`, set a
3454
+ # `TokenValidityUnits` value in your API request.
3455
+ #
3456
+ # For example, when you set `IdTokenValidity` as `10` and
3457
+ # `TokenValidityUnits` as `hours`, your user can authenticate their
3458
+ # session with their ID token for 10 hours.
3459
+ #
3460
+ # The default time unit for `AccessTokenValidity` in an API request is
3461
+ # hours. *Valid range* is displayed below in seconds.
3360
3462
  # @return [Integer]
3361
3463
  #
3362
3464
  # @!attribute [rw] token_validity_units
3363
- # The units in which the validity times are represented. Default for
3364
- # RefreshToken is days, and default for ID and access tokens are
3365
- # hours.
3465
+ # The units in which the validity times are represented. The default
3466
+ # unit for RefreshToken is days, and default for ID and access tokens
3467
+ # are hours.
3366
3468
  # @return [Types::TokenValidityUnitsType]
3367
3469
  #
3368
3470
  # @!attribute [rw] read_attributes
@@ -3372,14 +3474,13 @@ module Aws::CognitoIdentityProvider
3372
3474
  # @!attribute [rw] write_attributes
3373
3475
  # The user pool attributes that the app client can write to.
3374
3476
  #
3375
- # If your app client allows users to sign in through an identity
3376
- # provider, this array must include all attributes that you have
3377
- # mapped to identity provider attributes. Amazon Cognito updates
3378
- # mapped attributes when users sign in to your application through an
3379
- # identity provider. If your app client does not have write access to
3380
- # a mapped attribute, Amazon Cognito throws an error when it tries to
3381
- # update the attribute. For more information, see [Specifying Identity
3382
- # Provider Attribute Mappings for Your user pool][1].
3477
+ # If your app client allows users to sign in through an IdP, this
3478
+ # array must include all attributes that you have mapped to IdP
3479
+ # attributes. Amazon Cognito updates mapped attributes when users sign
3480
+ # in to your application through an IdP. If your app client does not
3481
+ # have write access to a mapped attribute, Amazon Cognito throws an
3482
+ # error when it tries to update the attribute. For more information,
3483
+ # see [Specifying IdP Attribute Mappings for Your user pool][1].
3383
3484
  #
3384
3485
  #
3385
3486
  #
@@ -3398,34 +3499,46 @@ module Aws::CognitoIdentityProvider
3398
3499
  #
3399
3500
  # Valid values include:
3400
3501
  #
3401
- # * `ALLOW_ADMIN_USER_PASSWORD_AUTH`\: Enable admin based user
3402
- # password authentication flow `ADMIN_USER_PASSWORD_AUTH`. This
3403
- # setting replaces the `ADMIN_NO_SRP_AUTH` setting. With this
3404
- # authentication flow, Amazon Cognito receives the password in the
3405
- # request instead of using the Secure Remote Password (SRP) protocol
3406
- # to verify passwords.
3502
+ # ALLOW\_ADMIN\_USER\_PASSWORD\_AUTH
3407
3503
  #
3408
- # * `ALLOW_CUSTOM_AUTH`\: Enable Lambda trigger based authentication.
3504
+ # : Enable admin based user password authentication flow
3505
+ # `ADMIN_USER_PASSWORD_AUTH`. This setting replaces the
3506
+ # `ADMIN_NO_SRP_AUTH` setting. With this authentication flow, Amazon
3507
+ # Cognito receives the password in the request instead of using the
3508
+ # Secure Remote Password (SRP) protocol to verify passwords.
3409
3509
  #
3410
- # * `ALLOW_USER_PASSWORD_AUTH`\: Enable user password-based
3411
- # authentication. In this flow, Amazon Cognito receives the password
3412
- # in the request instead of using the SRP protocol to verify
3413
- # passwords.
3510
+ # ALLOW\_CUSTOM\_AUTH
3414
3511
  #
3415
- # * `ALLOW_USER_SRP_AUTH`\: Enable SRP-based authentication.
3512
+ # : Enable Lambda trigger based authentication.
3416
3513
  #
3417
- # * `ALLOW_REFRESH_TOKEN_AUTH`\: Enable authflow to refresh tokens.
3514
+ # ALLOW\_USER\_PASSWORD\_AUTH
3515
+ #
3516
+ # : Enable user password-based authentication. In this flow, Amazon
3517
+ # Cognito receives the password in the request instead of using the
3518
+ # SRP protocol to verify passwords.
3519
+ #
3520
+ # ALLOW\_USER\_SRP\_AUTH
3521
+ #
3522
+ # : Enable SRP-based authentication.
3523
+ #
3524
+ # ALLOW\_REFRESH\_TOKEN\_AUTH
3525
+ #
3526
+ # : Enable the authflow that refreshes tokens.
3527
+ #
3528
+ # If you don't specify a value for `ExplicitAuthFlows`, your user
3529
+ # client supports `ALLOW_USER_SRP_AUTH` and `ALLOW_CUSTOM_AUTH`.
3418
3530
  # @return [Array<String>]
3419
3531
  #
3420
3532
  # @!attribute [rw] supported_identity_providers
3421
- # A list of provider names for the identity providers that are
3533
+ # A list of provider names for the identity providers (IdPs) that are
3422
3534
  # supported on this client. The following are supported: `COGNITO`,
3423
- # `Facebook`, `Google` and `LoginWithAmazon`.
3535
+ # `Facebook`, `Google`, `SignInWithApple`, and `LoginWithAmazon`. You
3536
+ # can also specify the names that you configured for the SAML and OIDC
3537
+ # IdPs in your user pool, for example `MySAMLIdP` or `MyOIDCIdP`.
3424
3538
  # @return [Array<String>]
3425
3539
  #
3426
3540
  # @!attribute [rw] callback_urls
3427
- # A list of allowed redirect (callback) URLs for the identity
3428
- # providers.
3541
+ # A list of allowed redirect (callback) URLs for the IdPs.
3429
3542
  #
3430
3543
  # A redirect URI must:
3431
3544
  #
@@ -3448,7 +3561,7 @@ module Aws::CognitoIdentityProvider
3448
3561
  # @return [Array<String>]
3449
3562
  #
3450
3563
  # @!attribute [rw] logout_urls
3451
- # A list of allowed logout URLs for the identity providers.
3564
+ # A list of allowed logout URLs for the IdPs.
3452
3565
  # @return [Array<String>]
3453
3566
  #
3454
3567
  # @!attribute [rw] default_redirect_uri
@@ -3477,22 +3590,28 @@ module Aws::CognitoIdentityProvider
3477
3590
  # @!attribute [rw] allowed_o_auth_flows
3478
3591
  # The allowed OAuth flows.
3479
3592
  #
3480
- # Set to `code` to initiate a code grant flow, which provides an
3481
- # authorization code as the response. This code can be exchanged for
3482
- # access tokens with the token endpoint.
3593
+ # code
3594
+ #
3595
+ # : Use a code grant flow, which provides an authorization code as the
3596
+ # response. This code can be exchanged for access tokens with the
3597
+ # `/oauth2/token` endpoint.
3483
3598
  #
3484
- # Set to `implicit` to specify that the client should get the access
3485
- # token (and, optionally, ID token, based on scopes) directly.
3599
+ # implicit
3486
3600
  #
3487
- # Set to `client_credentials` to specify that the client should get
3488
- # the access token (and, optionally, ID token, based on scopes) from
3489
- # the token endpoint using a combination of client and client\_secret.
3601
+ # : Issue the access token (and, optionally, ID token, based on
3602
+ # scopes) directly to your user.
3603
+ #
3604
+ # client\_credentials
3605
+ #
3606
+ # : Issue the access token from the `/oauth2/token` endpoint directly
3607
+ # to a non-person user using a combination of the client ID and
3608
+ # client secret.
3490
3609
  # @return [Array<String>]
3491
3610
  #
3492
3611
  # @!attribute [rw] allowed_o_auth_scopes
3493
- # The allowed OAuth scopes. Possible values provided by OAuth are:
3612
+ # The allowed OAuth scopes. Possible values provided by OAuth are
3494
3613
  # `phone`, `email`, `openid`, and `profile`. Possible values provided
3495
- # by Amazon Web Services are: `aws.cognito.signin.user.admin`. Custom
3614
+ # by Amazon Web Services are `aws.cognito.signin.user.admin`. Custom
3496
3615
  # scopes created in Resource Servers are also supported.
3497
3616
  # @return [Array<String>]
3498
3617
  #
@@ -3545,6 +3664,20 @@ module Aws::CognitoIdentityProvider
3545
3664
  # [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RevokeToken.html
3546
3665
  # @return [Boolean]
3547
3666
  #
3667
+ # @!attribute [rw] enable_propagate_additional_user_context_data
3668
+ # Activates the propagation of additional user context data. For more
3669
+ # information about propagation of user context data, see [ Adding
3670
+ # advanced security to a user pool][1]. If you don’t include this
3671
+ # parameter, you can't send device fingerprint information, including
3672
+ # source IP address, to Amazon Cognito advanced security. You can only
3673
+ # activate `EnablePropagateAdditionalUserContextData` in an app client
3674
+ # that has a client secret.
3675
+ #
3676
+ #
3677
+ #
3678
+ # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html
3679
+ # @return [Boolean]
3680
+ #
3548
3681
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/CreateUserPoolClientRequest AWS API Documentation
3549
3682
  #
3550
3683
  class CreateUserPoolClientRequest < Struct.new(
@@ -3567,7 +3700,8 @@ module Aws::CognitoIdentityProvider
3567
3700
  :allowed_o_auth_flows_user_pool_client,
3568
3701
  :analytics_configuration,
3569
3702
  :prevent_user_existence_errors,
3570
- :enable_token_revocation)
3703
+ :enable_token_revocation,
3704
+ :enable_propagate_additional_user_context_data)
3571
3705
  SENSITIVE = []
3572
3706
  include Aws::Structure
3573
3707
  end
@@ -3700,6 +3834,9 @@ module Aws::CognitoIdentityProvider
3700
3834
  # },
3701
3835
  # sms_authentication_message: "SmsVerificationMessageType",
3702
3836
  # mfa_configuration: "OFF", # accepts OFF, ON, OPTIONAL
3837
+ # user_attribute_update_settings: {
3838
+ # attributes_require_verification_before_update: ["phone_number"], # accepts phone_number, email
3839
+ # },
3703
3840
  # device_configuration: {
3704
3841
  # challenge_required_on_new_device: false,
3705
3842
  # device_only_remembered_on_user_prompt: false,
@@ -3813,8 +3950,8 @@ module Aws::CognitoIdentityProvider
3813
3950
  #
3814
3951
  # @!attribute [rw] email_verification_message
3815
3952
  # A string representing the email verification message.
3816
- # EmailVerificationMessage is allowed only if [EmailSendingAccount][1]
3817
- # is DEVELOPER.
3953
+ # `EmailVerificationMessage` is allowed only if
3954
+ # [EmailSendingAccount][1] is DEVELOPER.
3818
3955
  #
3819
3956
  #
3820
3957
  #
@@ -3823,8 +3960,8 @@ module Aws::CognitoIdentityProvider
3823
3960
  #
3824
3961
  # @!attribute [rw] email_verification_subject
3825
3962
  # A string representing the email verification subject.
3826
- # EmailVerificationSubject is allowed only if [EmailSendingAccount][1]
3827
- # is DEVELOPER.
3963
+ # `EmailVerificationSubject` is allowed only if
3964
+ # [EmailSendingAccount][1] is DEVELOPER.
3828
3965
  #
3829
3966
  #
3830
3967
  #
@@ -3844,8 +3981,28 @@ module Aws::CognitoIdentityProvider
3844
3981
  # Specifies MFA configuration details.
3845
3982
  # @return [String]
3846
3983
  #
3984
+ # @!attribute [rw] user_attribute_update_settings
3985
+ # The settings for updates to user attributes. These settings include
3986
+ # the property `AttributesRequireVerificationBeforeUpdate`, a
3987
+ # user-pool setting that tells Amazon Cognito how to handle changes to
3988
+ # the value of your users' email address and phone number attributes.
3989
+ # For more information, see [ Verifying updates to email addresses and
3990
+ # phone numbers][1].
3991
+ #
3992
+ #
3993
+ #
3994
+ # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-email-phone-verification.html#user-pool-settings-verifications-verify-attribute-updates
3995
+ # @return [Types::UserAttributeUpdateSettingsType]
3996
+ #
3847
3997
  # @!attribute [rw] device_configuration
3848
- # The device configuration.
3998
+ # The device-remembering configuration for a user pool. A null value
3999
+ # indicates that you have deactivated device remembering in your user
4000
+ # pool.
4001
+ #
4002
+ # <note markdown="1"> When you provide a value for any `DeviceConfiguration` field, you
4003
+ # activate the Amazon Cognito device-remembering feature.
4004
+ #
4005
+ # </note>
3849
4006
  # @return [Types::DeviceConfigurationType]
3850
4007
  #
3851
4008
  # @!attribute [rw] email_configuration
@@ -3921,6 +4078,7 @@ module Aws::CognitoIdentityProvider
3921
4078
  :verification_message_template,
3922
4079
  :sms_authentication_message,
3923
4080
  :mfa_configuration,
4081
+ :user_attribute_update_settings,
3924
4082
  :device_configuration,
3925
4083
  :email_configuration,
3926
4084
  :sms_configuration,
@@ -4071,7 +4229,7 @@ module Aws::CognitoIdentityProvider
4071
4229
  # @return [String]
4072
4230
  #
4073
4231
  # @!attribute [rw] provider_name
4074
- # The identity provider name.
4232
+ # The IdP name.
4075
4233
  # @return [String]
4076
4234
  #
4077
4235
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/DeleteIdentityProviderRequest AWS API Documentation
@@ -4127,7 +4285,8 @@ module Aws::CognitoIdentityProvider
4127
4285
  # @return [Array<String>]
4128
4286
  #
4129
4287
  # @!attribute [rw] access_token
4130
- # The access token used in the request to delete user attributes.
4288
+ # A valid access token that Amazon Cognito issued to the user whose
4289
+ # attributes you want to delete.
4131
4290
  # @return [String]
4132
4291
  #
4133
4292
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/DeleteUserAttributesRequest AWS API Documentation
@@ -4235,7 +4394,8 @@ module Aws::CognitoIdentityProvider
4235
4394
  # }
4236
4395
  #
4237
4396
  # @!attribute [rw] access_token
4238
- # The access token from a request to delete a user.
4397
+ # A valid access token that Amazon Cognito issued to the user whose
4398
+ # user profile you want to delete.
4239
4399
  # @return [String]
4240
4400
  #
4241
4401
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/DeleteUserRequest AWS API Documentation
@@ -4259,7 +4419,7 @@ module Aws::CognitoIdentityProvider
4259
4419
  # @return [String]
4260
4420
  #
4261
4421
  # @!attribute [rw] provider_name
4262
- # The identity provider name.
4422
+ # The IdP name.
4263
4423
  # @return [String]
4264
4424
  #
4265
4425
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/DescribeIdentityProviderRequest AWS API Documentation
@@ -4272,7 +4432,7 @@ module Aws::CognitoIdentityProvider
4272
4432
  end
4273
4433
 
4274
4434
  # @!attribute [rw] identity_provider
4275
- # The identity provider that was deleted.
4435
+ # The IdP that was deleted.
4276
4436
  # @return [Types::IdentityProviderType]
4277
4437
  #
4278
4438
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/DescribeIdentityProviderResponse AWS API Documentation
@@ -4512,11 +4672,12 @@ module Aws::CognitoIdentityProvider
4512
4672
  include Aws::Structure
4513
4673
  end
4514
4674
 
4515
- # The device tracking configuration for a user pool. A user pool with
4516
- # device tracking deactivated returns a null value.
4675
+ # The device-remembering configuration for a user pool. A null value
4676
+ # indicates that you have deactivated device remembering in your user
4677
+ # pool.
4517
4678
  #
4518
- # <note markdown="1"> When you provide values for any DeviceConfiguration field, you
4519
- # activate device tracking.
4679
+ # <note markdown="1"> When you provide a value for any `DeviceConfiguration` field, you
4680
+ # activate the Amazon Cognito device-remembering feature.
4520
4681
  #
4521
4682
  # </note>
4522
4683
  #
@@ -4533,17 +4694,23 @@ module Aws::CognitoIdentityProvider
4533
4694
  # one-time password (TOTP) factors for multi-factor authentication
4534
4695
  # (MFA).
4535
4696
  #
4536
- # <note markdown="1"> Users that sign in with devices that have not been confirmed or
4537
- # remembered will still have to provide a second factor, whether or
4538
- # not ChallengeRequiredOnNewDevice is true, when your user pool
4539
- # requires MFA.
4697
+ # <note markdown="1"> Regardless of the value of this field, users that sign in with new
4698
+ # devices that have not been confirmed or remembered must provide a
4699
+ # second factor if your user pool requires MFA.
4540
4700
  #
4541
4701
  # </note>
4542
4702
  # @return [Boolean]
4543
4703
  #
4544
4704
  # @!attribute [rw] device_only_remembered_on_user_prompt
4545
- # When true, users can opt in to remembering their device. Your app
4546
- # code must use callback functions to return the user's choice.
4705
+ # When true, Amazon Cognito doesn't remember newly-confirmed devices.
4706
+ # Users who want to authenticate with their device can instead opt in
4707
+ # to remembering their device. To collect a choice from your user,
4708
+ # create an input prompt in your app and return the value that the
4709
+ # user chooses in an [UpdateDeviceStatus][1] API request.
4710
+ #
4711
+ #
4712
+ #
4713
+ # [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateDeviceStatus.html
4547
4714
  # @return [Boolean]
4548
4715
  #
4549
4716
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/DeviceConfigurationType AWS API Documentation
@@ -4570,7 +4737,11 @@ module Aws::CognitoIdentityProvider
4570
4737
  # @return [String]
4571
4738
  #
4572
4739
  # @!attribute [rw] salt
4573
- # The salt.
4740
+ # The [salt][1]
4741
+ #
4742
+ #
4743
+ #
4744
+ # [1]: https://en.wikipedia.org/wiki/Salt_(cryptography)
4574
4745
  # @return [String]
4575
4746
  #
4576
4747
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/DeviceSecretVerifierConfigType AWS API Documentation
@@ -4762,29 +4933,6 @@ module Aws::CognitoIdentityProvider
4762
4933
  # of an Amazon SES verified email address for the `SourceArn`
4763
4934
  # parameter.
4764
4935
  #
4765
- # If EmailSendingAccount is COGNITO\_DEFAULT, you can't use the
4766
- # following parameters:
4767
- #
4768
- # * EmailVerificationMessage
4769
- #
4770
- # * EmailVerificationSubject
4771
- #
4772
- # * InviteMessageTemplate.EmailMessage
4773
- #
4774
- # * InviteMessageTemplate.EmailSubject
4775
- #
4776
- # * VerificationMessageTemplate.EmailMessage
4777
- #
4778
- # * VerificationMessageTemplate.EmailMessageByLink
4779
- #
4780
- # * VerificationMessageTemplate.EmailSubject,
4781
- #
4782
- # * VerificationMessageTemplate.EmailSubjectByLink
4783
- #
4784
- # <note markdown="1"> DEVELOPER EmailSendingAccount is required.
4785
- #
4786
- # </note>
4787
- #
4788
4936
  # DEVELOPER
4789
4937
  #
4790
4938
  # : When Amazon Cognito emails your users, it uses your Amazon SES
@@ -4794,8 +4942,8 @@ module Aws::CognitoIdentityProvider
4794
4942
  # to your Amazon SES verified email address in your Amazon Web
4795
4943
  # Services account.
4796
4944
  #
4797
- # If you use this option, you must provide the ARN of an Amazon SES
4798
- # verified email address for the `SourceArn` parameter.
4945
+ # If you use this option, provide the ARN of an Amazon SES verified
4946
+ # email address for the `SourceArn` parameter.
4799
4947
  #
4800
4948
  # Before Amazon Cognito can email your users, it requires additional
4801
4949
  # permissions to call Amazon SES on your behalf. When you update
@@ -4875,7 +5023,7 @@ module Aws::CognitoIdentityProvider
4875
5023
  # request.
4876
5024
  #
4877
5025
  # @!attribute [rw] ip_address
4878
- # The user's IP address.
5026
+ # The source IP address of your user's device.
4879
5027
  # @return [String]
4880
5028
  #
4881
5029
  # @!attribute [rw] device_name
@@ -4969,6 +5117,22 @@ module Aws::CognitoIdentityProvider
4969
5117
  include Aws::Structure
4970
5118
  end
4971
5119
 
5120
+ # This exception is thrown when WAF doesn't allow your request based on
5121
+ # a web ACL that's associated with your user pool.
5122
+ #
5123
+ # @!attribute [rw] message
5124
+ # The message returned when WAF doesn't allow your request based on a
5125
+ # web ACL that's associated with your user pool.
5126
+ # @return [String]
5127
+ #
5128
+ # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/ForbiddenException AWS API Documentation
5129
+ #
5130
+ class ForbiddenException < Struct.new(
5131
+ :message)
5132
+ SENSITIVE = []
5133
+ include Aws::Structure
5134
+ end
5135
+
4972
5136
  # Represents the request to forget the device.
4973
5137
  #
4974
5138
  # @note When making an API call, you may pass ForgetDeviceRequest
@@ -4980,7 +5144,8 @@ module Aws::CognitoIdentityProvider
4980
5144
  # }
4981
5145
  #
4982
5146
  # @!attribute [rw] access_token
4983
- # The access token for the forgotten device request.
5147
+ # A valid access token that Amazon Cognito issued to the user whose
5148
+ # registered device you want to forget.
4984
5149
  # @return [String]
4985
5150
  #
4986
5151
  # @!attribute [rw] device_key
@@ -5005,6 +5170,7 @@ module Aws::CognitoIdentityProvider
5005
5170
  # client_id: "ClientIdType", # required
5006
5171
  # secret_hash: "SecretHashType",
5007
5172
  # user_context_data: {
5173
+ # ip_address: "StringType",
5008
5174
  # encoded_data: "StringType",
5009
5175
  # },
5010
5176
  # username: "UsernameType", # required
@@ -5027,9 +5193,11 @@ module Aws::CognitoIdentityProvider
5027
5193
  # @return [String]
5028
5194
  #
5029
5195
  # @!attribute [rw] user_context_data
5030
- # Contextual data such as the user's device fingerprint, IP address,
5031
- # or location used for evaluating the risk of an unexpected event by
5032
- # Amazon Cognito advanced security.
5196
+ # Contextual data about your user session, such as the device
5197
+ # fingerprint, IP address, or location. Amazon Cognito advanced
5198
+ # security evaluates the risk of an authentication event based on the
5199
+ # context that your app generates and passes to Amazon Cognito when it
5200
+ # makes API requests.
5033
5201
  # @return [Types::UserContextDataType]
5034
5202
  #
5035
5203
  # @!attribute [rw] username
@@ -5038,8 +5206,8 @@ module Aws::CognitoIdentityProvider
5038
5206
  # @return [String]
5039
5207
  #
5040
5208
  # @!attribute [rw] analytics_metadata
5041
- # The Amazon Pinpoint analytics metadata for collecting metrics for
5042
- # `ForgotPassword` calls.
5209
+ # The Amazon Pinpoint analytics metadata that contributes to your
5210
+ # metrics for `ForgotPassword` calls.
5043
5211
  # @return [Types::AnalyticsMetadataType]
5044
5212
  #
5045
5213
  # @!attribute [rw] client_metadata
@@ -5094,8 +5262,7 @@ module Aws::CognitoIdentityProvider
5094
5262
  include Aws::Structure
5095
5263
  end
5096
5264
 
5097
- # Respresents the response from the server regarding the request to
5098
- # reset a password.
5265
+ # The response from Amazon Cognito to a request to reset a password.
5099
5266
  #
5100
5267
  # @!attribute [rw] code_delivery_details
5101
5268
  # The code delivery details returned by the server in response to the
@@ -5169,7 +5336,8 @@ module Aws::CognitoIdentityProvider
5169
5336
  # @return [String]
5170
5337
  #
5171
5338
  # @!attribute [rw] access_token
5172
- # The access token.
5339
+ # A valid access token that Amazon Cognito issued to the user whose
5340
+ # device information you want to request.
5173
5341
  # @return [String]
5174
5342
  #
5175
5343
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/GetDeviceRequest AWS API Documentation
@@ -5245,7 +5413,7 @@ module Aws::CognitoIdentityProvider
5245
5413
  # @return [String]
5246
5414
  #
5247
5415
  # @!attribute [rw] idp_identifier
5248
- # The identity provider ID.
5416
+ # The IdP identifier.
5249
5417
  # @return [String]
5250
5418
  #
5251
5419
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/GetIdentityProviderByIdentifierRequest AWS API Documentation
@@ -5258,7 +5426,7 @@ module Aws::CognitoIdentityProvider
5258
5426
  end
5259
5427
 
5260
5428
  # @!attribute [rw] identity_provider
5261
- # The identity provider object.
5429
+ # The IdP object.
5262
5430
  # @return [Types::IdentityProviderType]
5263
5431
  #
5264
5432
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/GetIdentityProviderByIdentifierResponse AWS API Documentation
@@ -5355,8 +5523,8 @@ module Aws::CognitoIdentityProvider
5355
5523
  # }
5356
5524
  #
5357
5525
  # @!attribute [rw] access_token
5358
- # The access token returned by the server response to get the user
5359
- # attribute verification code.
5526
+ # A non-expired access token for the user whose attribute verification
5527
+ # code you want to generate.
5360
5528
  # @return [String]
5361
5529
  #
5362
5530
  # @!attribute [rw] attribute_name
@@ -5448,15 +5616,17 @@ module Aws::CognitoIdentityProvider
5448
5616
  end
5449
5617
 
5450
5618
  # @!attribute [rw] sms_mfa_configuration
5451
- # The SMS text message multi-factor (MFA) configuration.
5619
+ # The SMS text message multi-factor authentication (MFA)
5620
+ # configuration.
5452
5621
  # @return [Types::SmsMfaConfigType]
5453
5622
  #
5454
5623
  # @!attribute [rw] software_token_mfa_configuration
5455
- # The software token multi-factor (MFA) configuration.
5624
+ # The software token multi-factor authentication (MFA) configuration.
5456
5625
  # @return [Types::SoftwareTokenMfaConfigType]
5457
5626
  #
5458
5627
  # @!attribute [rw] mfa_configuration
5459
- # The multi-factor (MFA) configuration. Valid values include:
5628
+ # The multi-factor authentication (MFA) configuration. Valid values
5629
+ # include:
5460
5630
  #
5461
5631
  # * `OFF` MFA won't be used for any users.
5462
5632
  #
@@ -5486,8 +5656,8 @@ module Aws::CognitoIdentityProvider
5486
5656
  # }
5487
5657
  #
5488
5658
  # @!attribute [rw] access_token
5489
- # The access token returned by the server response to get information
5490
- # about the user.
5659
+ # A non-expired access token for the user whose information you want
5660
+ # to query.
5491
5661
  # @return [String]
5492
5662
  #
5493
5663
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/GetUserRequest AWS API Documentation
@@ -5552,7 +5722,8 @@ module Aws::CognitoIdentityProvider
5552
5722
  # }
5553
5723
  #
5554
5724
  # @!attribute [rw] access_token
5555
- # The access token.
5725
+ # A valid access token that Amazon Cognito issued to the user who you
5726
+ # want to sign out.
5556
5727
  # @return [String]
5557
5728
  #
5558
5729
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/GlobalSignOutRequest AWS API Documentation
@@ -5670,23 +5841,23 @@ module Aws::CognitoIdentityProvider
5670
5841
  include Aws::Structure
5671
5842
  end
5672
5843
 
5673
- # A container for information about an identity provider.
5844
+ # A container for information about an IdP.
5674
5845
  #
5675
5846
  # @!attribute [rw] user_pool_id
5676
5847
  # The user pool ID.
5677
5848
  # @return [String]
5678
5849
  #
5679
5850
  # @!attribute [rw] provider_name
5680
- # The identity provider name.
5851
+ # The IdP name.
5681
5852
  # @return [String]
5682
5853
  #
5683
5854
  # @!attribute [rw] provider_type
5684
- # The identity provider type.
5855
+ # The IdP type.
5685
5856
  # @return [String]
5686
5857
  #
5687
5858
  # @!attribute [rw] provider_details
5688
- # The identity provider details. The following list describes the
5689
- # provider detail keys for each identity provider type.
5859
+ # The IdP details. The following list describes the provider detail
5860
+ # keys for each IdP type.
5690
5861
  #
5691
5862
  # * For Google and Login with Amazon:
5692
5863
  #
@@ -5716,6 +5887,9 @@ module Aws::CognitoIdentityProvider
5716
5887
  #
5717
5888
  # * private\_key
5718
5889
  #
5890
+ # *You can submit a private\_key when you add or update an IdP.
5891
+ # Describe operations don't return the private key.*
5892
+ #
5719
5893
  # * authorize\_scopes
5720
5894
  #
5721
5895
  # * For OIDC providers:
@@ -5730,43 +5904,46 @@ module Aws::CognitoIdentityProvider
5730
5904
  #
5731
5905
  # * authorize\_scopes
5732
5906
  #
5733
- # * authorize\_url *if not available from discovery URL specified by
5734
- # oidc\_issuer key*
5907
+ # * The following keys are only present if Amazon Cognito didn't
5908
+ # discover them at the `oidc_issuer` URL.
5909
+ #
5910
+ # * authorize\_url
5735
5911
  #
5736
- # * token\_url *if not available from discovery URL specified by
5737
- # oidc\_issuer key*
5912
+ # * token\_url
5738
5913
  #
5739
- # * attributes\_url *if not available from discovery URL specified
5740
- # by oidc\_issuer key*
5914
+ # * attributes\_url
5741
5915
  #
5742
- # * jwks\_uri *if not available from discovery URL specified by
5743
- # oidc\_issuer key*
5916
+ # * jwks\_uri
5744
5917
  #
5745
- # * attributes\_url\_add\_attributes *a read-only property that is
5746
- # set automatically*
5918
+ # * Amazon Cognito sets the value of the following keys
5919
+ # automatically. They are read-only.
5920
+ #
5921
+ # * attributes\_url\_add\_attributes
5922
+ #
5923
+ # ^
5747
5924
  #
5748
5925
  # * For SAML providers:
5749
5926
  #
5750
5927
  # * MetadataFile or MetadataURL
5751
5928
  #
5752
- # * IDPSignOut *optional*
5929
+ # * IDPSignout *optional*
5753
5930
  # @return [Hash<String,String>]
5754
5931
  #
5755
5932
  # @!attribute [rw] attribute_mapping
5756
- # A mapping of identity provider attributes to standard and custom
5757
- # user pool attributes.
5933
+ # A mapping of IdP attributes to standard and custom user pool
5934
+ # attributes.
5758
5935
  # @return [Hash<String,String>]
5759
5936
  #
5760
5937
  # @!attribute [rw] idp_identifiers
5761
- # A list of identity provider identifiers.
5938
+ # A list of IdP identifiers.
5762
5939
  # @return [Array<String>]
5763
5940
  #
5764
5941
  # @!attribute [rw] last_modified_date
5765
- # The date the identity provider was last modified.
5942
+ # The date the IdP was last modified.
5766
5943
  # @return [Time]
5767
5944
  #
5768
5945
  # @!attribute [rw] creation_date
5769
- # The date the identity provider was created.
5946
+ # The date the IdP was created.
5770
5947
  # @return [Time]
5771
5948
  #
5772
5949
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/IdentityProviderType AWS API Documentation
@@ -5802,6 +5979,7 @@ module Aws::CognitoIdentityProvider
5802
5979
  # analytics_endpoint_id: "StringType",
5803
5980
  # },
5804
5981
  # user_context_data: {
5982
+ # ip_address: "StringType",
5805
5983
  # encoded_data: "StringType",
5806
5984
  # },
5807
5985
  # }
@@ -5830,10 +6008,10 @@ module Aws::CognitoIdentityProvider
5830
6008
  #
5831
6009
  # * `CUSTOM_AUTH`\: Custom authentication flow.
5832
6010
  #
5833
- # * `USER_PASSWORD_AUTH`\: Non-SRP authentication flow; USERNAME and
5834
- # PASSWORD are passed directly. If a user migration Lambda trigger
6011
+ # * `USER_PASSWORD_AUTH`\: Non-SRP authentication flow; user name and
6012
+ # password are passed directly. If a user migration Lambda trigger
5835
6013
  # is set, this flow will invoke the user migration Lambda if it
5836
- # doesn't find the USERNAME in the user pool.
6014
+ # doesn't find the user name in the user pool.
5837
6015
  #
5838
6016
  # `ADMIN_NO_SRP_AUTH` isn't a valid value.
5839
6017
  # @return [String]
@@ -5925,14 +6103,16 @@ module Aws::CognitoIdentityProvider
5925
6103
  # @return [String]
5926
6104
  #
5927
6105
  # @!attribute [rw] analytics_metadata
5928
- # The Amazon Pinpoint analytics metadata for collecting metrics for
5929
- # `InitiateAuth` calls.
6106
+ # The Amazon Pinpoint analytics metadata that contributes to your
6107
+ # metrics for `InitiateAuth` calls.
5930
6108
  # @return [Types::AnalyticsMetadataType]
5931
6109
  #
5932
6110
  # @!attribute [rw] user_context_data
5933
- # Contextual data such as the user's device fingerprint, IP address,
5934
- # or location used for evaluating the risk of an unexpected event by
5935
- # Amazon Cognito advanced security.
6111
+ # Contextual data about your user session, such as the device
6112
+ # fingerprint, IP address, or location. Amazon Cognito advanced
6113
+ # security evaluates the risk of an authentication event based on the
6114
+ # context that your app generates and passes to Amazon Cognito when it
6115
+ # makes API requests.
5936
6116
  # @return [Types::UserContextDataType]
5937
6117
  #
5938
6118
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/InitiateAuthRequest AWS API Documentation
@@ -5981,9 +6161,23 @@ module Aws::CognitoIdentityProvider
5981
6161
  # for devices only.
5982
6162
  #
5983
6163
  # * `NEW_PASSWORD_REQUIRED`\: For users who are required to change
5984
- # their passwords after successful first login. This challenge
5985
- # should be passed with `NEW_PASSWORD` and any other required
5986
- # attributes.
6164
+ # their passwords after successful first login.
6165
+ #
6166
+ # Respond to this challenge with `NEW_PASSWORD` and any required
6167
+ # attributes that Amazon Cognito returned in the
6168
+ # `requiredAttributes` parameter. You can also set values for
6169
+ # attributes that aren't required by your user pool and that your
6170
+ # app client can write. For more information, see
6171
+ # [RespondToAuthChallenge][1].
6172
+ #
6173
+ # <note markdown="1"> In a `NEW_PASSWORD_REQUIRED` challenge response, you can't modify
6174
+ # a required attribute that already has a value. In
6175
+ # `RespondToAuthChallenge`, set a value for any keys that Amazon
6176
+ # Cognito returned in the `requiredAttributes` parameter, then use
6177
+ # the `UpdateUserAttributes` API operation to modify the value of
6178
+ # any additional attributes.
6179
+ #
6180
+ # </note>
5987
6181
  #
5988
6182
  # * `MFA_SETUP`\: For users who are required to setup an MFA factor
5989
6183
  # before they can sign in. The MFA types activated for the user pool
@@ -5996,6 +6190,10 @@ module Aws::CognitoIdentityProvider
5996
6190
  # complete sign-in. To set up SMS MFA, an administrator should help
5997
6191
  # the user to add a phone number to their account, and then the user
5998
6192
  # should call `InitiateAuth` again to restart sign-in.
6193
+ #
6194
+ #
6195
+ #
6196
+ # [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RespondToAuthChallenge.html
5999
6197
  # @return [String]
6000
6198
  #
6001
6199
  # @!attribute [rw] session
@@ -6071,7 +6269,7 @@ module Aws::CognitoIdentityProvider
6071
6269
  # Lambda response.
6072
6270
  #
6073
6271
  # @!attribute [rw] message
6074
- # The message returned when Amazon Cognito hrows an invalid Lambda
6272
+ # The message returned when Amazon Cognito throws an invalid Lambda
6075
6273
  # response exception.
6076
6274
  # @return [String]
6077
6275
  #
@@ -6308,7 +6506,8 @@ module Aws::CognitoIdentityProvider
6308
6506
  # }
6309
6507
  #
6310
6508
  # @!attribute [rw] access_token
6311
- # The access tokens for the request to list devices.
6509
+ # A valid access token that Amazon Cognito issued to the user whose
6510
+ # list of devices you want to view.
6312
6511
  # @return [String]
6313
6512
  #
6314
6513
  # @!attribute [rw] limit
@@ -6414,7 +6613,7 @@ module Aws::CognitoIdentityProvider
6414
6613
  # @return [String]
6415
6614
  #
6416
6615
  # @!attribute [rw] max_results
6417
- # The maximum number of identity providers to return.
6616
+ # The maximum number of IdPs to return.
6418
6617
  # @return [Integer]
6419
6618
  #
6420
6619
  # @!attribute [rw] next_token
@@ -6432,7 +6631,7 @@ module Aws::CognitoIdentityProvider
6432
6631
  end
6433
6632
 
6434
6633
  # @!attribute [rw] providers
6435
- # A list of identity provider objects.
6634
+ # A list of IdP objects.
6436
6635
  # @return [Array<Types::ProviderDescription>]
6437
6636
  #
6438
6637
  # @!attribute [rw] next_token
@@ -6738,9 +6937,8 @@ module Aws::CognitoIdentityProvider
6738
6937
  # @return [Array<Types::UserType>]
6739
6938
  #
6740
6939
  # @!attribute [rw] next_token
6741
- # An identifier that was returned from the previous call to this
6742
- # operation, which can be used to return the next set of items in the
6743
- # list.
6940
+ # An identifier that you can use in a later request to return the next
6941
+ # set of items in the list.
6744
6942
  # @return [String]
6745
6943
  #
6746
6944
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/ListUsersInGroupResponse AWS API Documentation
@@ -6831,8 +7029,8 @@ module Aws::CognitoIdentityProvider
6831
7029
  # Custom attributes aren't searchable.
6832
7030
  #
6833
7031
  # <note markdown="1"> You can also list users with a client-side filter. The server-side
6834
- # filter matches no more than 1 attribute. For an advanced search, use
6835
- # a client-side filter with the `--query` parameter of the
7032
+ # filter matches no more than one attribute. For an advanced search,
7033
+ # use a client-side filter with the `--query` parameter of the
6836
7034
  # `list-users` action in the CLI. When you use a client-side filter,
6837
7035
  # ListUsers returns a paginated list of zero or more users. You can
6838
7036
  # receive multiple pages in a row with zero results. Repeat the query
@@ -7190,8 +7388,8 @@ module Aws::CognitoIdentityProvider
7190
7388
  # administrator must reset their password.
7191
7389
  #
7192
7390
  # <note markdown="1"> When you set `TemporaryPasswordValidityDays` for a user pool, you
7193
- # can no longer set the deprecated `UnusedAccountValidityDays` value
7194
- # for that user pool.
7391
+ # can no longer set a value for the legacy `UnusedAccountValidityDays`
7392
+ # parameter in that user pool.
7195
7393
  #
7196
7394
  # </note>
7197
7395
  # @return [Integer]
@@ -7237,14 +7435,14 @@ module Aws::CognitoIdentityProvider
7237
7435
  include Aws::Structure
7238
7436
  end
7239
7437
 
7240
- # A container for identity provider details.
7438
+ # A container for IdP details.
7241
7439
  #
7242
7440
  # @!attribute [rw] provider_name
7243
- # The identity provider name.
7441
+ # The IdP name.
7244
7442
  # @return [String]
7245
7443
  #
7246
7444
  # @!attribute [rw] provider_type
7247
- # The identity provider type.
7445
+ # The IdP type.
7248
7446
  # @return [String]
7249
7447
  #
7250
7448
  # @!attribute [rw] last_modified_date
@@ -7266,8 +7464,7 @@ module Aws::CognitoIdentityProvider
7266
7464
  include Aws::Structure
7267
7465
  end
7268
7466
 
7269
- # A container for information about an identity provider for a user
7270
- # pool.
7467
+ # A container for information about an IdP for a user pool.
7271
7468
  #
7272
7469
  # @note When making an API call, you may pass ProviderUserIdentifierType
7273
7470
  # data as a hash:
@@ -7340,6 +7537,7 @@ module Aws::CognitoIdentityProvider
7340
7537
  # client_id: "ClientIdType", # required
7341
7538
  # secret_hash: "SecretHashType",
7342
7539
  # user_context_data: {
7540
+ # ip_address: "StringType",
7343
7541
  # encoded_data: "StringType",
7344
7542
  # },
7345
7543
  # username: "UsernameType", # required
@@ -7362,9 +7560,11 @@ module Aws::CognitoIdentityProvider
7362
7560
  # @return [String]
7363
7561
  #
7364
7562
  # @!attribute [rw] user_context_data
7365
- # Contextual data such as the user's device fingerprint, IP address,
7366
- # or location used for evaluating the risk of an unexpected event by
7367
- # Amazon Cognito advanced security.
7563
+ # Contextual data about your user session, such as the device
7564
+ # fingerprint, IP address, or location. Amazon Cognito advanced
7565
+ # security evaluates the risk of an authentication event based on the
7566
+ # context that your app generates and passes to Amazon Cognito when it
7567
+ # makes API requests.
7368
7568
  # @return [Types::UserContextDataType]
7369
7569
  #
7370
7570
  # @!attribute [rw] username
@@ -7373,8 +7573,8 @@ module Aws::CognitoIdentityProvider
7373
7573
  # @return [String]
7374
7574
  #
7375
7575
  # @!attribute [rw] analytics_metadata
7376
- # The Amazon Pinpoint analytics metadata for collecting metrics for
7377
- # `ResendConfirmationCode` calls.
7576
+ # The Amazon Pinpoint analytics metadata that contributes to your
7577
+ # metrics for `ResendConfirmationCode` calls.
7378
7578
  # @return [Types::AnalyticsMetadataType]
7379
7579
  #
7380
7580
  # @!attribute [rw] client_metadata
@@ -7532,6 +7732,7 @@ module Aws::CognitoIdentityProvider
7532
7732
  # analytics_endpoint_id: "StringType",
7533
7733
  # },
7534
7734
  # user_context_data: {
7735
+ # ip_address: "StringType",
7535
7736
  # encoded_data: "StringType",
7536
7737
  # },
7537
7738
  # client_metadata: {
@@ -7577,13 +7778,27 @@ module Aws::CognitoIdentityProvider
7577
7778
  # * `PASSWORD_VERIFIER`\: `PASSWORD_CLAIM_SIGNATURE`,
7578
7779
  # `PASSWORD_CLAIM_SECRET_BLOCK`, `TIMESTAMP`, `USERNAME`.
7579
7780
  #
7580
- # <note markdown="1"> `PASSWORD_VERIFIER` requires `DEVICE_KEY` when signing in with a
7781
+ # <note markdown="1"> `PASSWORD_VERIFIER` requires `DEVICE_KEY` when you sign in with a
7581
7782
  # remembered device.
7582
7783
  #
7583
7784
  # </note>
7584
7785
  #
7585
- # * `NEW_PASSWORD_REQUIRED`\: `NEW_PASSWORD`, any other required
7586
- # attributes, `USERNAME`.
7786
+ # * `NEW_PASSWORD_REQUIRED`\: `NEW_PASSWORD`, `USERNAME`,
7787
+ # `SECRET_HASH` (if app client is configured with client secret). To
7788
+ # set any required attributes that Amazon Cognito returned as
7789
+ # `requiredAttributes` in the `InitiateAuth` response, add a
7790
+ # `userAttributes.attributename ` parameter. This parameter can also
7791
+ # set values for writable attributes that aren't required by your
7792
+ # user pool.
7793
+ #
7794
+ # <note markdown="1"> In a `NEW_PASSWORD_REQUIRED` challenge response, you can't modify
7795
+ # a required attribute that already has a value. In
7796
+ # `RespondToAuthChallenge`, set a value for any keys that Amazon
7797
+ # Cognito returned in the `requiredAttributes` parameter, then use
7798
+ # the `UpdateUserAttributes` API operation to modify the value of
7799
+ # any additional attributes.
7800
+ #
7801
+ # </note>
7587
7802
  #
7588
7803
  # * `SOFTWARE_TOKEN_MFA`\: `USERNAME` and `SOFTWARE_TOKEN_MFA_CODE`
7589
7804
  # are required attributes.
@@ -7600,14 +7815,16 @@ module Aws::CognitoIdentityProvider
7600
7815
  # @return [Hash<String,String>]
7601
7816
  #
7602
7817
  # @!attribute [rw] analytics_metadata
7603
- # The Amazon Pinpoint analytics metadata for collecting metrics for
7604
- # `RespondToAuthChallenge` calls.
7818
+ # The Amazon Pinpoint analytics metadata that contributes to your
7819
+ # metrics for `RespondToAuthChallenge` calls.
7605
7820
  # @return [Types::AnalyticsMetadataType]
7606
7821
  #
7607
7822
  # @!attribute [rw] user_context_data
7608
- # Contextual data such as the user's device fingerprint, IP address,
7609
- # or location used for evaluating the risk of an unexpected event by
7610
- # Amazon Cognito advanced security.
7823
+ # Contextual data about your user session, such as the device
7824
+ # fingerprint, IP address, or location. Amazon Cognito advanced
7825
+ # security evaluates the risk of an authentication event based on the
7826
+ # context that your app generates and passes to Amazon Cognito when it
7827
+ # makes API requests.
7611
7828
  # @return [Types::UserContextDataType]
7612
7829
  #
7613
7830
  # @!attribute [rw] client_metadata
@@ -7903,13 +8120,13 @@ module Aws::CognitoIdentityProvider
7903
8120
  # @!attribute [rw] mutable
7904
8121
  # Specifies whether the value of the attribute can be changed.
7905
8122
  #
7906
- # For any user pool attribute that is mapped to an identity provider
7907
- # attribute, you must set this parameter to `true`. Amazon Cognito
7908
- # updates mapped attributes when users sign in to your application
7909
- # through an identity provider. If an attribute is immutable, Amazon
7910
- # Cognito throws an error when it attempts to update the attribute.
7911
- # For more information, see [Specifying Identity Provider Attribute
7912
- # Mappings for Your User Pool][1].
8123
+ # For any user pool attribute that is mapped to an IdP attribute, you
8124
+ # must set this parameter to `true`. Amazon Cognito updates mapped
8125
+ # attributes when users sign in to your application through an IdP. If
8126
+ # an attribute is immutable, Amazon Cognito throws an error when it
8127
+ # attempts to update the attribute. For more information, see
8128
+ # [Specifying Identity Provider Attribute Mappings for Your User
8129
+ # Pool][1].
7913
8130
  #
7914
8131
  #
7915
8132
  #
@@ -8131,11 +8348,12 @@ module Aws::CognitoIdentityProvider
8131
8348
  # @return [Types::SMSMfaSettingsType]
8132
8349
  #
8133
8350
  # @!attribute [rw] software_token_mfa_settings
8134
- # The time-based one-time password software token MFA settings.
8351
+ # The time-based one-time password (TOTP) software token MFA settings.
8135
8352
  # @return [Types::SoftwareTokenMfaSettingsType]
8136
8353
  #
8137
8354
  # @!attribute [rw] access_token
8138
- # The access token for the user.
8355
+ # A valid access token that Amazon Cognito issued to the user whose
8356
+ # MFA preference you want to set.
8139
8357
  # @return [String]
8140
8358
  #
8141
8359
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/SetUserMFAPreferenceRequest AWS API Documentation
@@ -8254,7 +8472,8 @@ module Aws::CognitoIdentityProvider
8254
8472
  # }
8255
8473
  #
8256
8474
  # @!attribute [rw] access_token
8257
- # The access token for the set user settings request.
8475
+ # A valid access token that Amazon Cognito issued to the user whose
8476
+ # user settings you want to configure.
8258
8477
  # @return [String]
8259
8478
  #
8260
8479
  # @!attribute [rw] mfa_options
@@ -8303,6 +8522,7 @@ module Aws::CognitoIdentityProvider
8303
8522
  # analytics_endpoint_id: "StringType",
8304
8523
  # },
8305
8524
  # user_context_data: {
8525
+ # ip_address: "StringType",
8306
8526
  # encoded_data: "StringType",
8307
8527
  # },
8308
8528
  # client_metadata: {
@@ -8340,14 +8560,16 @@ module Aws::CognitoIdentityProvider
8340
8560
  # @return [Array<Types::AttributeType>]
8341
8561
  #
8342
8562
  # @!attribute [rw] analytics_metadata
8343
- # The Amazon Pinpoint analytics metadata for collecting metrics for
8344
- # `SignUp` calls.
8563
+ # The Amazon Pinpoint analytics metadata that contributes to your
8564
+ # metrics for `SignUp` calls.
8345
8565
  # @return [Types::AnalyticsMetadataType]
8346
8566
  #
8347
8567
  # @!attribute [rw] user_context_data
8348
- # Contextual data such as the user's device fingerprint, IP address,
8349
- # or location used for evaluating the risk of an unexpected event by
8350
- # Amazon Cognito advanced security.
8568
+ # Contextual data about your user session, such as the device
8569
+ # fingerprint, IP address, or location. Amazon Cognito advanced
8570
+ # security evaluates the risk of an authentication event based on the
8571
+ # context that your app generates and passes to Amazon Cognito when it
8572
+ # makes API requests.
8351
8573
  # @return [Types::UserContextDataType]
8352
8574
  #
8353
8575
  # @!attribute [rw] client_metadata
@@ -8760,8 +8982,8 @@ module Aws::CognitoIdentityProvider
8760
8982
  #
8761
8983
  class TagResourceResponse < Aws::EmptyStructure; end
8762
8984
 
8763
- # The data type for TokenValidityUnits that specifics the time
8764
- # measurements for token validity.
8985
+ # The data type TokenValidityUnits specifies the time units you use when
8986
+ # you set the duration of ID, access, and refresh tokens.
8765
8987
  #
8766
8988
  # @note When making an API call, you may pass TokenValidityUnitsType
8767
8989
  # data as a hash:
@@ -8773,18 +8995,21 @@ module Aws::CognitoIdentityProvider
8773
8995
  # }
8774
8996
  #
8775
8997
  # @!attribute [rw] access_token
8776
- # A time unit in seconds”, minutes”, hours”, or days for the
8777
- # value in AccessTokenValidity, defaulting to hours.
8998
+ # A time unit of `seconds`, `minutes`, `hours`, or `days` for the
8999
+ # value that you set in the `AccessTokenValidity` parameter. The
9000
+ # default `AccessTokenValidity` time unit is hours.
8778
9001
  # @return [String]
8779
9002
  #
8780
9003
  # @!attribute [rw] id_token
8781
- # A time unit in seconds”, minutes”, hours”, or days for the
8782
- # value in IdTokenValidity, defaulting to hours.
9004
+ # A time unit of `seconds`, `minutes`, `hours`, or `days` for the
9005
+ # value that you set in the `IdTokenValidity` parameter. The default
9006
+ # `IdTokenValidity` time unit is hours.
8783
9007
  # @return [String]
8784
9008
  #
8785
9009
  # @!attribute [rw] refresh_token
8786
- # A time unit in seconds”, minutes”, hours”, or days for the
8787
- # value in RefreshTokenValidity, defaulting to days.
9010
+ # A time unit of `seconds`, `minutes`, `hours`, or `days` for the
9011
+ # value that you set in the `RefreshTokenValidity` parameter. The
9012
+ # default `RefreshTokenValidity` time unit is days.
8788
9013
  # @return [String]
8789
9014
  #
8790
9015
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/TokenValidityUnitsType AWS API Documentation
@@ -9049,7 +9274,8 @@ module Aws::CognitoIdentityProvider
9049
9274
  # }
9050
9275
  #
9051
9276
  # @!attribute [rw] access_token
9052
- # The access token.
9277
+ # A valid access token that Amazon Cognito issued to the user whose
9278
+ # device status you want to update.
9053
9279
  # @return [String]
9054
9280
  #
9055
9281
  # @!attribute [rw] device_key
@@ -9158,20 +9384,20 @@ module Aws::CognitoIdentityProvider
9158
9384
  # @return [String]
9159
9385
  #
9160
9386
  # @!attribute [rw] provider_name
9161
- # The identity provider name.
9387
+ # The IdP name.
9162
9388
  # @return [String]
9163
9389
  #
9164
9390
  # @!attribute [rw] provider_details
9165
- # The identity provider details to be updated, such as `MetadataURL`
9166
- # and `MetadataFile`.
9391
+ # The IdP details to be updated, such as `MetadataURL` and
9392
+ # `MetadataFile`.
9167
9393
  # @return [Hash<String,String>]
9168
9394
  #
9169
9395
  # @!attribute [rw] attribute_mapping
9170
- # The identity provider attribute mapping to be changed.
9396
+ # The IdP attribute mapping to be changed.
9171
9397
  # @return [Hash<String,String>]
9172
9398
  #
9173
9399
  # @!attribute [rw] idp_identifiers
9174
- # A list of identity provider identifiers.
9400
+ # A list of IdP identifiers.
9175
9401
  # @return [Array<String>]
9176
9402
  #
9177
9403
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/UpdateIdentityProviderRequest AWS API Documentation
@@ -9187,7 +9413,7 @@ module Aws::CognitoIdentityProvider
9187
9413
  end
9188
9414
 
9189
9415
  # @!attribute [rw] identity_provider
9190
- # The identity provider object.
9416
+ # The IdP object.
9191
9417
  # @return [Types::IdentityProviderType]
9192
9418
  #
9193
9419
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/UpdateIdentityProviderResponse AWS API Documentation
@@ -9275,10 +9501,19 @@ module Aws::CognitoIdentityProvider
9275
9501
  #
9276
9502
  # For custom attributes, you must prepend the `custom:` prefix to the
9277
9503
  # attribute name.
9504
+ #
9505
+ # If you have set an attribute to require verification before Amazon
9506
+ # Cognito updates its value, this request doesn’t immediately update
9507
+ # the value of that attribute. After your user receives and responds
9508
+ # to a verification message to verify the new value, Amazon Cognito
9509
+ # updates the attribute value. Your user can sign in and receive
9510
+ # messages with the original attribute value until they verify the new
9511
+ # value.
9278
9512
  # @return [Array<Types::AttributeType>]
9279
9513
  #
9280
9514
  # @!attribute [rw] access_token
9281
- # The access token for the request to update user attributes.
9515
+ # A valid access token that Amazon Cognito issued to the user whose
9516
+ # user attributes you want to update.
9282
9517
  # @return [String]
9283
9518
  #
9284
9519
  # @!attribute [rw] client_metadata
@@ -9381,6 +9616,7 @@ module Aws::CognitoIdentityProvider
9381
9616
  # },
9382
9617
  # prevent_user_existence_errors: "LEGACY", # accepts LEGACY, ENABLED
9383
9618
  # enable_token_revocation: false,
9619
+ # enable_propagate_additional_user_context_data: false,
9384
9620
  # }
9385
9621
  #
9386
9622
  # @!attribute [rw] user_pool_id
@@ -9397,23 +9633,53 @@ module Aws::CognitoIdentityProvider
9397
9633
  # @return [String]
9398
9634
  #
9399
9635
  # @!attribute [rw] refresh_token_validity
9400
- # The time limit, in days, after which the refresh token is no longer
9401
- # valid and can't be used.
9636
+ # The refresh token time limit. After this limit expires, your user
9637
+ # can't use their refresh token. To specify the time unit for
9638
+ # `RefreshTokenValidity` as `seconds`, `minutes`, `hours`, or `days`,
9639
+ # set a `TokenValidityUnits` value in your API request.
9640
+ #
9641
+ # For example, when you set `RefreshTokenValidity` as `10` and
9642
+ # `TokenValidityUnits` as `days`, your user can refresh their session
9643
+ # and retrieve new access and ID tokens for 10 days.
9644
+ #
9645
+ # The default time unit for `RefreshTokenValidity` in an API request
9646
+ # is days. You can't set `RefreshTokenValidity` to 0. If you do,
9647
+ # Amazon Cognito overrides the value with the default value of 30
9648
+ # days. *Valid range* is displayed below in seconds.
9402
9649
  # @return [Integer]
9403
9650
  #
9404
9651
  # @!attribute [rw] access_token_validity
9405
- # The time limit after which the access token is no longer valid and
9406
- # can't be used.
9652
+ # The access token time limit. After this limit expires, your user
9653
+ # can't use their access token. To specify the time unit for
9654
+ # `AccessTokenValidity` as `seconds`, `minutes`, `hours`, or `days`,
9655
+ # set a `TokenValidityUnits` value in your API request.
9656
+ #
9657
+ # For example, when you set `AccessTokenValidity` to `10` and
9658
+ # `TokenValidityUnits` to `hours`, your user can authorize access with
9659
+ # their access token for 10 hours.
9660
+ #
9661
+ # The default time unit for `AccessTokenValidity` in an API request is
9662
+ # hours. *Valid range* is displayed below in seconds.
9407
9663
  # @return [Integer]
9408
9664
  #
9409
9665
  # @!attribute [rw] id_token_validity
9410
- # The time limit after which the ID token is no longer valid and
9411
- # can't be used.
9666
+ # The ID token time limit. After this limit expires, your user can't
9667
+ # use their ID token. To specify the time unit for `IdTokenValidity`
9668
+ # as `seconds`, `minutes`, `hours`, or `days`, set a
9669
+ # `TokenValidityUnits` value in your API request.
9670
+ #
9671
+ # For example, when you set `IdTokenValidity` as `10` and
9672
+ # `TokenValidityUnits` as `hours`, your user can authenticate their
9673
+ # session with their ID token for 10 hours.
9674
+ #
9675
+ # The default time unit for `AccessTokenValidity` in an API request is
9676
+ # hours. *Valid range* is displayed below in seconds.
9412
9677
  # @return [Integer]
9413
9678
  #
9414
9679
  # @!attribute [rw] token_validity_units
9415
- # The units in which the validity times are represented. Default for
9416
- # RefreshToken is days, and default for ID and access tokens is hours.
9680
+ # The units in which the validity times are represented. The default
9681
+ # unit for RefreshToken is days, and the default for ID and access
9682
+ # tokens is hours.
9417
9683
  # @return [Types::TokenValidityUnitsType]
9418
9684
  #
9419
9685
  # @!attribute [rw] read_attributes
@@ -9453,13 +9719,14 @@ module Aws::CognitoIdentityProvider
9453
9719
  # @return [Array<String>]
9454
9720
  #
9455
9721
  # @!attribute [rw] supported_identity_providers
9456
- # A list of provider names for the identity providers that are
9457
- # supported on this client.
9722
+ # A list of provider names for the IdPs that this client supports. The
9723
+ # following are supported: `COGNITO`, `Facebook`, `Google`,
9724
+ # `SignInWithApple`, `LoginWithAmazon`, and the names of your own SAML
9725
+ # and OIDC providers.
9458
9726
  # @return [Array<String>]
9459
9727
  #
9460
9728
  # @!attribute [rw] callback_urls
9461
- # A list of allowed redirect (callback) URLs for the identity
9462
- # providers.
9729
+ # A list of allowed redirect (callback) URLs for the IdPs.
9463
9730
  #
9464
9731
  # A redirect URI must:
9465
9732
  #
@@ -9482,7 +9749,7 @@ module Aws::CognitoIdentityProvider
9482
9749
  # @return [Array<String>]
9483
9750
  #
9484
9751
  # @!attribute [rw] logout_urls
9485
- # A list of allowed logout URLs for the identity providers.
9752
+ # A list of allowed logout URLs for the IdPs.
9486
9753
  # @return [Array<String>]
9487
9754
  #
9488
9755
  # @!attribute [rw] default_redirect_uri
@@ -9511,22 +9778,28 @@ module Aws::CognitoIdentityProvider
9511
9778
  # @!attribute [rw] allowed_o_auth_flows
9512
9779
  # The allowed OAuth flows.
9513
9780
  #
9514
- # Set to `code` to initiate a code grant flow, which provides an
9515
- # authorization code as the response. This code can be exchanged for
9516
- # access tokens with the token endpoint.
9781
+ # code
9517
9782
  #
9518
- # Set to `implicit` to specify that the client should get the access
9519
- # token (and, optionally, ID token, based on scopes) directly.
9783
+ # : Use a code grant flow, which provides an authorization code as the
9784
+ # response. This code can be exchanged for access tokens with the
9785
+ # `/oauth2/token` endpoint.
9520
9786
  #
9521
- # Set to `client_credentials` to specify that the client should get
9522
- # the access token (and, optionally, ID token, based on scopes) from
9523
- # the token endpoint using a combination of client and client\_secret.
9787
+ # implicit
9788
+ #
9789
+ # : Issue the access token (and, optionally, ID token, based on
9790
+ # scopes) directly to your user.
9791
+ #
9792
+ # client\_credentials
9793
+ #
9794
+ # : Issue the access token from the `/oauth2/token` endpoint directly
9795
+ # to a non-person user using a combination of the client ID and
9796
+ # client secret.
9524
9797
  # @return [Array<String>]
9525
9798
  #
9526
9799
  # @!attribute [rw] allowed_o_auth_scopes
9527
- # The allowed OAuth scopes. Possible values provided by OAuth are:
9800
+ # The allowed OAuth scopes. Possible values provided by OAuth are
9528
9801
  # `phone`, `email`, `openid`, and `profile`. Possible values provided
9529
- # by Amazon Web Services are: `aws.cognito.signin.user.admin`. Custom
9802
+ # by Amazon Web Services are `aws.cognito.signin.user.admin`. Custom
9530
9803
  # scopes created in Resource Servers are also supported.
9531
9804
  # @return [Array<String>]
9532
9805
  #
@@ -9536,8 +9809,8 @@ module Aws::CognitoIdentityProvider
9536
9809
  # @return [Boolean]
9537
9810
  #
9538
9811
  # @!attribute [rw] analytics_configuration
9539
- # The Amazon Pinpoint analytics configuration for collecting metrics
9540
- # for this user pool.
9812
+ # The Amazon Pinpoint analytics configuration necessary to collect
9813
+ # metrics for this user pool.
9541
9814
  #
9542
9815
  # <note markdown="1"> In Amazon Web Services Regions where Amazon Pinpoint isn't
9543
9816
  # available, user pools only support sending events to Amazon Pinpoint
@@ -9576,6 +9849,20 @@ module Aws::CognitoIdentityProvider
9576
9849
  # [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RevokeToken.html
9577
9850
  # @return [Boolean]
9578
9851
  #
9852
+ # @!attribute [rw] enable_propagate_additional_user_context_data
9853
+ # Activates the propagation of additional user context data. For more
9854
+ # information about propagation of user context data, see [ Adding
9855
+ # advanced security to a user pool][1]. If you don’t include this
9856
+ # parameter, you can't send device fingerprint information, including
9857
+ # source IP address, to Amazon Cognito advanced security. You can only
9858
+ # activate `EnablePropagateAdditionalUserContextData` in an app client
9859
+ # that has a client secret.
9860
+ #
9861
+ #
9862
+ #
9863
+ # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html
9864
+ # @return [Boolean]
9865
+ #
9579
9866
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/UpdateUserPoolClientRequest AWS API Documentation
9580
9867
  #
9581
9868
  class UpdateUserPoolClientRequest < Struct.new(
@@ -9598,7 +9885,8 @@ module Aws::CognitoIdentityProvider
9598
9885
  :allowed_o_auth_flows_user_pool_client,
9599
9886
  :analytics_configuration,
9600
9887
  :prevent_user_existence_errors,
9601
- :enable_token_revocation)
9888
+ :enable_token_revocation,
9889
+ :enable_propagate_additional_user_context_data)
9602
9890
  SENSITIVE = [:client_id]
9603
9891
  include Aws::Structure
9604
9892
  end
@@ -9729,6 +10017,9 @@ module Aws::CognitoIdentityProvider
9729
10017
  # default_email_option: "CONFIRM_WITH_LINK", # accepts CONFIRM_WITH_LINK, CONFIRM_WITH_CODE
9730
10018
  # },
9731
10019
  # sms_authentication_message: "SmsVerificationMessageType",
10020
+ # user_attribute_update_settings: {
10021
+ # attributes_require_verification_before_update: ["phone_number"], # accepts phone_number, email
10022
+ # },
9732
10023
  # mfa_configuration: "OFF", # accepts OFF, ON, OPTIONAL
9733
10024
  # device_configuration: {
9734
10025
  # challenge_required_on_new_device: false,
@@ -9809,8 +10100,21 @@ module Aws::CognitoIdentityProvider
9809
10100
  # The contents of the SMS authentication message.
9810
10101
  # @return [String]
9811
10102
  #
10103
+ # @!attribute [rw] user_attribute_update_settings
10104
+ # The settings for updates to user attributes. These settings include
10105
+ # the property `AttributesRequireVerificationBeforeUpdate`, a
10106
+ # user-pool setting that tells Amazon Cognito how to handle changes to
10107
+ # the value of your users' email address and phone number attributes.
10108
+ # For more information, see [ Verifying updates to email addresses and
10109
+ # phone numbers][1].
10110
+ #
10111
+ #
10112
+ #
10113
+ # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-email-phone-verification.html#user-pool-settings-verifications-verify-attribute-updates
10114
+ # @return [Types::UserAttributeUpdateSettingsType]
10115
+ #
9812
10116
  # @!attribute [rw] mfa_configuration
9813
- # Can be one of the following values:
10117
+ # Possible values include:
9814
10118
  #
9815
10119
  # * `OFF` - MFA tokens aren't required and can't be specified during
9816
10120
  # user registration.
@@ -9829,7 +10133,14 @@ module Aws::CognitoIdentityProvider
9829
10133
  # @return [String]
9830
10134
  #
9831
10135
  # @!attribute [rw] device_configuration
9832
- # Device configuration.
10136
+ # The device-remembering configuration for a user pool. A null value
10137
+ # indicates that you have deactivated device remembering in your user
10138
+ # pool.
10139
+ #
10140
+ # <note markdown="1"> When you provide a value for any `DeviceConfiguration` field, you
10141
+ # activate the Amazon Cognito device-remembering feature.
10142
+ #
10143
+ # </note>
9833
10144
  # @return [Types::DeviceConfigurationType]
9834
10145
  #
9835
10146
  # @!attribute [rw] email_configuration
@@ -9886,6 +10197,7 @@ module Aws::CognitoIdentityProvider
9886
10197
  :email_verification_subject,
9887
10198
  :verification_message_template,
9888
10199
  :sms_authentication_message,
10200
+ :user_attribute_update_settings,
9889
10201
  :mfa_configuration,
9890
10202
  :device_configuration,
9891
10203
  :email_configuration,
@@ -9905,6 +10217,60 @@ module Aws::CognitoIdentityProvider
9905
10217
  #
9906
10218
  class UpdateUserPoolResponse < Aws::EmptyStructure; end
9907
10219
 
10220
+ # The settings for updates to user attributes. These settings include
10221
+ # the property `AttributesRequireVerificationBeforeUpdate`, a user-pool
10222
+ # setting that tells Amazon Cognito how to handle changes to the value
10223
+ # of your users' email address and phone number attributes. For more
10224
+ # information, see [ Verifying updates to email addresses and phone
10225
+ # numbers][1].
10226
+ #
10227
+ #
10228
+ #
10229
+ # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-email-phone-verification.html#user-pool-settings-verifications-verify-attribute-updates
10230
+ #
10231
+ # @note When making an API call, you may pass UserAttributeUpdateSettingsType
10232
+ # data as a hash:
10233
+ #
10234
+ # {
10235
+ # attributes_require_verification_before_update: ["phone_number"], # accepts phone_number, email
10236
+ # }
10237
+ #
10238
+ # @!attribute [rw] attributes_require_verification_before_update
10239
+ # Requires that your user verifies their email address, phone number,
10240
+ # or both before Amazon Cognito updates the value of that attribute.
10241
+ # When you update a user attribute that has this option activated,
10242
+ # Amazon Cognito sends a verification message to the new phone number
10243
+ # or email address. Amazon Cognito doesn’t change the value of the
10244
+ # attribute until your user responds to the verification message and
10245
+ # confirms the new value.
10246
+ #
10247
+ # You can verify an updated email address or phone number with a
10248
+ # [VerifyUserAttribute][1] API request. You can also call the
10249
+ # [UpdateUserAttributes][2] or [AdminUpdateUserAttributes][3] API and
10250
+ # set `email_verified` or `phone_number_verified` to true.
10251
+ #
10252
+ # When `AttributesRequireVerificationBeforeUpdate` is false, your user
10253
+ # pool doesn't require that your users verify attribute changes
10254
+ # before Amazon Cognito updates them. In a user pool where
10255
+ # `AttributesRequireVerificationBeforeUpdate` is false, API operations
10256
+ # that change attribute values can immediately update a user’s `email`
10257
+ # or `phone_number` attribute.
10258
+ #
10259
+ #
10260
+ #
10261
+ # [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_VerifyUserAttribute.html
10262
+ # [2]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserAttributes.html
10263
+ # [3]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html
10264
+ # @return [Array<String>]
10265
+ #
10266
+ # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/UserAttributeUpdateSettingsType AWS API Documentation
10267
+ #
10268
+ class UserAttributeUpdateSettingsType < Struct.new(
10269
+ :attributes_require_verification_before_update)
10270
+ SENSITIVE = []
10271
+ include Aws::Structure
10272
+ end
10273
+
9908
10274
  # Contextual data, such as the user's device fingerprint, IP address,
9909
10275
  # or location, used for evaluating the risk of an unexpected event by
9910
10276
  # Amazon Cognito advanced security.
@@ -9913,18 +10279,29 @@ module Aws::CognitoIdentityProvider
9913
10279
  # data as a hash:
9914
10280
  #
9915
10281
  # {
10282
+ # ip_address: "StringType",
9916
10283
  # encoded_data: "StringType",
9917
10284
  # }
9918
10285
  #
10286
+ # @!attribute [rw] ip_address
10287
+ # The source IP address of your user's device.
10288
+ # @return [String]
10289
+ #
9919
10290
  # @!attribute [rw] encoded_data
9920
- # Contextual data, such as the user's device fingerprint, IP address,
9921
- # or location, used for evaluating the risk of an unexpected event by
9922
- # Amazon Cognito advanced security.
10291
+ # Encoded device-fingerprint details that your app collected with the
10292
+ # Amazon Cognito context data collection library. For more
10293
+ # information, see [Adding user device and session data to API
10294
+ # requests][1].
10295
+ #
10296
+ #
10297
+ #
10298
+ # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html#user-pool-settings-adaptive-authentication-device-fingerprint
9923
10299
  # @return [String]
9924
10300
  #
9925
10301
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/UserContextDataType AWS API Documentation
9926
10302
  #
9927
10303
  class UserContextDataType < Struct.new(
10304
+ :ip_address,
9928
10305
  :encoded_data)
9929
10306
  SENSITIVE = []
9930
10307
  include Aws::Structure
@@ -10174,24 +10551,52 @@ module Aws::CognitoIdentityProvider
10174
10551
  # @return [Time]
10175
10552
  #
10176
10553
  # @!attribute [rw] refresh_token_validity
10177
- # The time limit, in days, after which the refresh token is no longer
10178
- # valid and can't be used.
10554
+ # The refresh token time limit. After this limit expires, your user
10555
+ # can't use their refresh token. To specify the time unit for
10556
+ # `RefreshTokenValidity` as `seconds`, `minutes`, `hours`, or `days`,
10557
+ # set a `TokenValidityUnits` value in your API request.
10558
+ #
10559
+ # For example, when you set `RefreshTokenValidity` as `10` and
10560
+ # `TokenValidityUnits` as `days`, your user can refresh their session
10561
+ # and retrieve new access and ID tokens for 10 days.
10562
+ #
10563
+ # The default time unit for `RefreshTokenValidity` in an API request
10564
+ # is days. You can't set `RefreshTokenValidity` to 0. If you do,
10565
+ # Amazon Cognito overrides the value with the default value of 30
10566
+ # days. *Valid range* is displayed below in seconds.
10179
10567
  # @return [Integer]
10180
10568
  #
10181
10569
  # @!attribute [rw] access_token_validity
10182
- # The time limit, specified by tokenValidityUnits, defaulting to
10183
- # hours, after which the access token is no longer valid and can't be
10184
- # used.
10570
+ # The access token time limit. After this limit expires, your user
10571
+ # can't use their access token. To specify the time unit for
10572
+ # `AccessTokenValidity` as `seconds`, `minutes`, `hours`, or `days`,
10573
+ # set a `TokenValidityUnits` value in your API request.
10574
+ #
10575
+ # For example, when you set `AccessTokenValidity` to `10` and
10576
+ # `TokenValidityUnits` to `hours`, your user can authorize access with
10577
+ # their access token for 10 hours.
10578
+ #
10579
+ # The default time unit for `AccessTokenValidity` in an API request is
10580
+ # hours. *Valid range* is displayed below in seconds.
10185
10581
  # @return [Integer]
10186
10582
  #
10187
10583
  # @!attribute [rw] id_token_validity
10188
- # The time limit specified by tokenValidityUnits, defaulting to hours,
10189
- # after which the refresh token is no longer valid and can't be used.
10584
+ # The ID token time limit. After this limit expires, your user can't
10585
+ # use their ID token. To specify the time unit for `IdTokenValidity`
10586
+ # as `seconds`, `minutes`, `hours`, or `days`, set a
10587
+ # `TokenValidityUnits` value in your API request.
10588
+ #
10589
+ # For example, when you set `IdTokenValidity` as `10` and
10590
+ # `TokenValidityUnits` as `hours`, your user can authenticate their
10591
+ # session with their ID token for 10 hours.
10592
+ #
10593
+ # The default time unit for `AccessTokenValidity` in an API request is
10594
+ # hours. *Valid range* is displayed below in seconds.
10190
10595
  # @return [Integer]
10191
10596
  #
10192
10597
  # @!attribute [rw] token_validity_units
10193
- # The time units used to specify the token validity times of their
10194
- # respective token.
10598
+ # The time units used to specify the token validity times of each
10599
+ # token type: ID, access, and refresh.
10195
10600
  # @return [Types::TokenValidityUnitsType]
10196
10601
  #
10197
10602
  # @!attribute [rw] read_attributes
@@ -10231,13 +10636,14 @@ module Aws::CognitoIdentityProvider
10231
10636
  # @return [Array<String>]
10232
10637
  #
10233
10638
  # @!attribute [rw] supported_identity_providers
10234
- # A list of provider names for the identity providers that are
10235
- # supported on this client.
10639
+ # A list of provider names for the IdPs that this client supports. The
10640
+ # following are supported: `COGNITO`, `Facebook`, `Google`,
10641
+ # `SignInWithApple`, `LoginWithAmazon`, and the names of your own SAML
10642
+ # and OIDC providers.
10236
10643
  # @return [Array<String>]
10237
10644
  #
10238
10645
  # @!attribute [rw] callback_urls
10239
- # A list of allowed redirect (callback) URLs for the identity
10240
- # providers.
10646
+ # A list of allowed redirect (callback) URLs for the IdPs.
10241
10647
  #
10242
10648
  # A redirect URI must:
10243
10649
  #
@@ -10260,7 +10666,7 @@ module Aws::CognitoIdentityProvider
10260
10666
  # @return [Array<String>]
10261
10667
  #
10262
10668
  # @!attribute [rw] logout_urls
10263
- # A list of allowed logout URLs for the identity providers.
10669
+ # A list of allowed logout URLs for the IdPs.
10264
10670
  # @return [Array<String>]
10265
10671
  #
10266
10672
  # @!attribute [rw] default_redirect_uri
@@ -10289,23 +10695,30 @@ module Aws::CognitoIdentityProvider
10289
10695
  # @!attribute [rw] allowed_o_auth_flows
10290
10696
  # The allowed OAuth flows.
10291
10697
  #
10292
- # Set to `code` to initiate a code grant flow, which provides an
10293
- # authorization code as the response. This code can be exchanged for
10294
- # access tokens with the token endpoint.
10698
+ # code
10699
+ #
10700
+ # : Use a code grant flow, which provides an authorization code as the
10701
+ # response. This code can be exchanged for access tokens with the
10702
+ # `/oauth2/token` endpoint.
10703
+ #
10704
+ # implicit
10295
10705
  #
10296
- # Set to `implicit` to specify that the client should get the access
10297
- # token (and, optionally, ID token, based on scopes) directly.
10706
+ # : Issue the access token (and, optionally, ID token, based on
10707
+ # scopes) directly to your user.
10298
10708
  #
10299
- # Set to `client_credentials` to specify that the client should get
10300
- # the access token (and, optionally, ID token, based on scopes) from
10301
- # the token endpoint using a combination of client and client\_secret.
10709
+ # client\_credentials
10710
+ #
10711
+ # : Issue the access token from the `/oauth2/token` endpoint directly
10712
+ # to a non-person user using a combination of the client ID and
10713
+ # client secret.
10302
10714
  # @return [Array<String>]
10303
10715
  #
10304
10716
  # @!attribute [rw] allowed_o_auth_scopes
10305
- # The allowed OAuth scopes. Possible values provided by OAuth are:
10306
- # `phone`, `email`, `openid`, and `profile`. Possible values provided
10307
- # by Amazon Web Services are: `aws.cognito.signin.user.admin`. Custom
10308
- # scopes created in Resource Servers are also supported.
10717
+ # The OAuth scopes that your app client supports. Possible values that
10718
+ # OAuth provides are `phone`, `email`, `openid`, and `profile`.
10719
+ # Possible values that Amazon Web Services provides are
10720
+ # `aws.cognito.signin.user.admin`. Amazon Cognito also supports custom
10721
+ # scopes that you create in Resource Servers.
10309
10722
  # @return [Array<String>]
10310
10723
  #
10311
10724
  # @!attribute [rw] allowed_o_auth_flows_user_pool_client
@@ -10339,8 +10752,8 @@ module Aws::CognitoIdentityProvider
10339
10752
  #
10340
10753
  # * `ENABLED` - This prevents user existence-related errors.
10341
10754
  #
10342
- # * `LEGACY` - This represents the old behavior of Cognito where user
10343
- # existence related errors aren't prevented.
10755
+ # * `LEGACY` - This represents the old behavior of Amazon Cognito
10756
+ # where user existence related errors aren't prevented.
10344
10757
  # @return [String]
10345
10758
  #
10346
10759
  # @!attribute [rw] enable_token_revocation
@@ -10354,6 +10767,33 @@ module Aws::CognitoIdentityProvider
10354
10767
  # [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RevokeToken.html
10355
10768
  # @return [Boolean]
10356
10769
  #
10770
+ # @!attribute [rw] enable_propagate_additional_user_context_data
10771
+ # When `EnablePropagateAdditionalUserContextData` is true, Amazon
10772
+ # Cognito accepts an `IpAddress` value that you send in the
10773
+ # `UserContextData` parameter. The `UserContextData` parameter sends
10774
+ # information to Amazon Cognito advanced security for risk analysis.
10775
+ # You can send `UserContextData` when you sign in Amazon Cognito
10776
+ # native users with the `InitiateAuth` and `RespondToAuthChallenge`
10777
+ # API operations.
10778
+ #
10779
+ # When `EnablePropagateAdditionalUserContextData` is false, you can't
10780
+ # send your user's source IP address to Amazon Cognito advanced
10781
+ # security with unauthenticated API operations.
10782
+ # `EnablePropagateAdditionalUserContextData` doesn't affect whether
10783
+ # you can send a source IP address in a `ContextData` parameter with
10784
+ # the authenticated API operations `AdminInitiateAuth` and
10785
+ # `AdminRespondToAuthChallenge`.
10786
+ #
10787
+ # You can only activate `EnablePropagateAdditionalUserContextData` in
10788
+ # an app client that has a client secret. For more information about
10789
+ # propagation of user context data, see [Adding user device and
10790
+ # session data to API requests][1].
10791
+ #
10792
+ #
10793
+ #
10794
+ # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html#user-pool-settings-adaptive-authentication-device-fingerprint
10795
+ # @return [Boolean]
10796
+ #
10357
10797
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/UserPoolClientType AWS API Documentation
10358
10798
  #
10359
10799
  class UserPoolClientType < Struct.new(
@@ -10379,7 +10819,8 @@ module Aws::CognitoIdentityProvider
10379
10819
  :allowed_o_auth_flows_user_pool_client,
10380
10820
  :analytics_configuration,
10381
10821
  :prevent_user_existence_errors,
10382
- :enable_token_revocation)
10822
+ :enable_token_revocation,
10823
+ :enable_propagate_additional_user_context_data)
10383
10824
  SENSITIVE = [:client_id, :client_secret]
10384
10825
  include Aws::Structure
10385
10826
  end
@@ -10532,6 +10973,19 @@ module Aws::CognitoIdentityProvider
10532
10973
  # The contents of the SMS authentication message.
10533
10974
  # @return [String]
10534
10975
  #
10976
+ # @!attribute [rw] user_attribute_update_settings
10977
+ # The settings for updates to user attributes. These settings include
10978
+ # the property `AttributesRequireVerificationBeforeUpdate`, a
10979
+ # user-pool setting that tells Amazon Cognito how to handle changes to
10980
+ # the value of your users' email address and phone number attributes.
10981
+ # For more information, see [ Verifying updates to email addresses and
10982
+ # phone numbers][1].
10983
+ #
10984
+ #
10985
+ #
10986
+ # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-email-phone-verification.html#user-pool-settings-verifications-verify-attribute-updates
10987
+ # @return [Types::UserAttributeUpdateSettingsType]
10988
+ #
10535
10989
  # @!attribute [rw] mfa_configuration
10536
10990
  # Can be one of the following values:
10537
10991
  #
@@ -10546,7 +11000,14 @@ module Aws::CognitoIdentityProvider
10546
11000
  # @return [String]
10547
11001
  #
10548
11002
  # @!attribute [rw] device_configuration
10549
- # The device configuration.
11003
+ # The device-remembering configuration for a user pool. A null value
11004
+ # indicates that you have deactivated device remembering in your user
11005
+ # pool.
11006
+ #
11007
+ # <note markdown="1"> When you provide a value for any `DeviceConfiguration` field, you
11008
+ # activate the Amazon Cognito device-remembering feature.
11009
+ #
11010
+ # </note>
10550
11011
  # @return [Types::DeviceConfigurationType]
10551
11012
  #
10552
11013
  # @!attribute [rw] estimated_number_of_users
@@ -10681,6 +11142,7 @@ module Aws::CognitoIdentityProvider
10681
11142
  :email_verification_subject,
10682
11143
  :verification_message_template,
10683
11144
  :sms_authentication_message,
11145
+ :user_attribute_update_settings,
10684
11146
  :mfa_configuration,
10685
11147
  :device_configuration,
10686
11148
  :estimated_number_of_users,
@@ -10700,7 +11162,7 @@ module Aws::CognitoIdentityProvider
10700
11162
  include Aws::Structure
10701
11163
  end
10702
11164
 
10703
- # The user type.
11165
+ # A user profile in a Amazon Cognito user pool.
10704
11166
  #
10705
11167
  # @!attribute [rw] username
10706
11168
  # The user name of the user you want to describe.
@@ -10729,6 +11191,8 @@ module Aws::CognitoIdentityProvider
10729
11191
  #
10730
11192
  # * CONFIRMED - User has been confirmed.
10731
11193
  #
11194
+ # * EXTERNAL\_PROVIDER - User signed in with a third-party IdP.
11195
+ #
10732
11196
  # * ARCHIVED - User is no longer active.
10733
11197
  #
10734
11198
  # * UNKNOWN - User status isn't known.
@@ -10770,7 +11234,7 @@ module Aws::CognitoIdentityProvider
10770
11234
  # }
10771
11235
  #
10772
11236
  # @!attribute [rw] case_sensitive
10773
- # Specifies whether username case sensitivity will be applied for all
11237
+ # Specifies whether user name case sensitivity will be applied for all
10774
11238
  # users in the user pool through Amazon Cognito APIs.
10775
11239
  #
10776
11240
  # Valid values include:
@@ -10830,12 +11294,16 @@ module Aws::CognitoIdentityProvider
10830
11294
  # }
10831
11295
  #
10832
11296
  # @!attribute [rw] sms_message
10833
- # The SMS message template.
11297
+ # The template for SMS messages that Amazon Cognito sends to your
11298
+ # users.
10834
11299
  # @return [String]
10835
11300
  #
10836
11301
  # @!attribute [rw] email_message
10837
- # The email message template. EmailMessage is allowed only if [
10838
- # EmailSendingAccount][1] is DEVELOPER.
11302
+ # The template for email messages that Amazon Cognito sends to your
11303
+ # users. You can set an `EmailMessage` template only if the value of [
11304
+ # EmailSendingAccount][1] is `DEVELOPER`. When your
11305
+ # [EmailSendingAccount][1] is `DEVELOPER`, your user pool sends email
11306
+ # messages with your own Amazon SES configuration.
10839
11307
  #
10840
11308
  #
10841
11309
  #
@@ -10843,8 +11311,11 @@ module Aws::CognitoIdentityProvider
10843
11311
  # @return [String]
10844
11312
  #
10845
11313
  # @!attribute [rw] email_subject
10846
- # The subject line for the email message template. EmailSubject is
10847
- # allowed only if [EmailSendingAccount][1] is DEVELOPER.
11314
+ # The subject line for the email message template. You can set an
11315
+ # `EmailSubject` template only if the value of [
11316
+ # EmailSendingAccount][1] is `DEVELOPER`. When your
11317
+ # [EmailSendingAccount][1] is `DEVELOPER`, your user pool sends email
11318
+ # messages with your own Amazon SES configuration.
10848
11319
  #
10849
11320
  #
10850
11321
  #
@@ -10853,8 +11324,10 @@ module Aws::CognitoIdentityProvider
10853
11324
  #
10854
11325
  # @!attribute [rw] email_message_by_link
10855
11326
  # The email message template for sending a confirmation link to the
10856
- # user. EmailMessageByLink is allowed only if [
10857
- # EmailSendingAccount][1] is DEVELOPER.
11327
+ # user. You can set an `EmailMessageByLink` template only if the value
11328
+ # of [ EmailSendingAccount][1] is `DEVELOPER`. When your
11329
+ # [EmailSendingAccount][1] is `DEVELOPER`, your user pool sends email
11330
+ # messages with your own Amazon SES configuration.
10858
11331
  #
10859
11332
  #
10860
11333
  #
@@ -10863,8 +11336,11 @@ module Aws::CognitoIdentityProvider
10863
11336
  #
10864
11337
  # @!attribute [rw] email_subject_by_link
10865
11338
  # The subject line for the email message template for sending a
10866
- # confirmation link to the user. EmailSubjectByLink is allowed only [
10867
- # EmailSendingAccount][1] is DEVELOPER.
11339
+ # confirmation link to the user. You can set an `EmailSubjectByLink`
11340
+ # template only if the value of [ EmailSendingAccount][1] is
11341
+ # `DEVELOPER`. When your [EmailSendingAccount][1] is `DEVELOPER`, your
11342
+ # user pool sends email messages with your own Amazon SES
11343
+ # configuration.
10868
11344
  #
10869
11345
  #
10870
11346
  #
@@ -10899,7 +11375,8 @@ module Aws::CognitoIdentityProvider
10899
11375
  # }
10900
11376
  #
10901
11377
  # @!attribute [rw] access_token
10902
- # The access token.
11378
+ # A valid access token that Amazon Cognito issued to the user whose
11379
+ # software token you want to verify.
10903
11380
  # @return [String]
10904
11381
  #
10905
11382
  # @!attribute [rw] session
@@ -10961,7 +11438,8 @@ module Aws::CognitoIdentityProvider
10961
11438
  # }
10962
11439
  #
10963
11440
  # @!attribute [rw] access_token
10964
- # The access token of the request to verify user attributes.
11441
+ # A valid access token that Amazon Cognito issued to the user whose
11442
+ # user attributes you want to verify.
10965
11443
  # @return [String]
10966
11444
  #
10967
11445
  # @!attribute [rw] attribute_name